Researchers only “scratching the surface” of a pervasive Android bloatware issue

Pre-installed Android apps for third parties pose security and privacy risks

Smartphone hacking picture

Researchers have discovered a dangerous trend concerning Android phone manufacturers whereby third-parties will pay to install pre-loaded apps containing potentially harmful code.

These third parties could be mobile network operators or other third-party advertising companies which will install different apps at the supply chain level so manufacturers can squeeze a little extra revenue out of each device sold.

The most dangerous cases where when malware was actually installed from these proprietary apps introduced by third parties. The researchers noted that such infections typically occurred in the low-end range of phones, but it was also evident in some high-end phones too.

"We identified variants of well-known Android malware families that have been prevalent in the last few years, including Triada, Rootnik, SnowFox, Xinyin, Ztorg, Iop, and dubious software developed by GMobi," read the research paper.

"According to existing AV reports, the range of behaviours that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads, among others."

In addition to the malware-laden apps, researchers found that many apps also had access to personally identifiable information (PII) and these appeared to distribute said information to third parties.

Other intrusive behaviours observed include apps being able to collect and distribute email and phone call metadata to third parties; this data could include contact details and recipients which can inform leads used by marketers.

The data analysed by university researchers from the US and Spain was based on information provided by 2,748 volunteers using 1,742 different Android devices.

It's not just security issues that Android users are facing, the researchers point to a much wider chain of partnerships between handset vendors, network carriers, analytics services and online services such as Skype and Dropbox.

These far-reaching partnerships "suggest and in some cases confirm" instances where the companies you trust the most, namely Samsung, Huawei and Sony are knowingly granting permissions which circumvent Android's prevention of apps accessing sensitive data to third-party apps.

For example, Chinese tech giant Baidu's geo-location permission can be exposed and circumvented by third-party apps, meaning your location data could be accessed by an app which you didn't explicitly approve.

Facebook has also been found to download other associated software such as Instagram after permissions were circumvented in 24 Android vendors including Samsung, Asus, Xiaomi, HTC, Sony and LG.

The researchers say that after a full year, they've only just begun to scratch the surface of a much wider issue surrounding the Android device supply chain and the effect it's having on user security and privacy.

In terms of how to rectify the situation, the researchers speculate on a few possibilities. "Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs."

"Alternatively, in absence of self-regulation, governments and regulatory bodies could step in and enact regulations and execute enforcement actions that wrest back some of the control from the various actors in the supply chain."

Google's Play Protect is Android's built-in malware protection against nefarious apps and is "backed by the strength of Google's machine learning algorithms, it is always improving in real time", according to its web page.

We approached Google for comment on the extent to which Play Protect can mitigate the threats imposed by these pre-installed apps but it did not immediately reply to our emails.

The discovery highlights the prevailing issue with Android apps both proprietary and downloaded from the Google Play store where security and privacy issues run rife.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020