Researchers only “scratching the surface” of a pervasive Android bloatware issue

Pre-installed Android apps for third parties pose security and privacy risks

Smartphone hacking picture

Researchers have discovered a dangerous trend concerning Android phone manufacturers whereby third-parties will pay to install pre-loaded apps containing potentially harmful code.

These third parties could be mobile network operators or other third-party advertising companies which will install different apps at the supply chain level so manufacturers can squeeze a little extra revenue out of each device sold.

Advertisement - Article continues below

The most dangerous cases where when malware was actually installed from these proprietary apps introduced by third parties. The researchers noted that such infections typically occurred in the low-end range of phones, but it was also evident in some high-end phones too.

"We identified variants of well-known Android malware families that have been prevalent in the last few years, including Triada, Rootnik, SnowFox, Xinyin, Ztorg, Iop, and dubious software developed by GMobi," read the research paper.

"According to existing AV reports, the range of behaviours that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads, among others."

In addition to the malware-laden apps, researchers found that many apps also had access to personally identifiable information (PII) and these appeared to distribute said information to third parties.

Other intrusive behaviours observed include apps being able to collect and distribute email and phone call metadata to third parties; this data could include contact details and recipients which can inform leads used by marketers.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The data analysed by university researchers from the US and Spain was based on information provided by 2,748 volunteers using 1,742 different Android devices.

It's not just security issues that Android users are facing, the researchers point to a much wider chain of partnerships between handset vendors, network carriers, analytics services and online services such as Skype and Dropbox.

These far-reaching partnerships "suggest and in some cases confirm" instances where the companies you trust the most, namely Samsung, Huawei and Sony are knowingly granting permissions which circumvent Android's prevention of apps accessing sensitive data to third-party apps.

For example, Chinese tech giant Baidu's geo-location permission can be exposed and circumvented by third-party apps, meaning your location data could be accessed by an app which you didn't explicitly approve.

Facebook has also been found to download other associated software such as Instagram after permissions were circumvented in 24 Android vendors including Samsung, Asus, Xiaomi, HTC, Sony and LG.

Advertisement - Article continues below

The researchers say that after a full year, they've only just begun to scratch the surface of a much wider issue surrounding the Android device supply chain and the effect it's having on user security and privacy.

In terms of how to rectify the situation, the researchers speculate on a few possibilities. "Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs."

"Alternatively, in absence of self-regulation, governments and regulatory bodies could step in and enact regulations and execute enforcement actions that wrest back some of the control from the various actors in the supply chain."

Google's Play Protect is Android's built-in malware protection against nefarious apps and is "backed by the strength of Google's machine learning algorithms, it is always improving in real time", according to its web page.

We approached Google for comment on the extent to which Play Protect can mitigate the threats imposed by these pre-installed apps but it did not immediately reply to our emails.

The discovery highlights the prevailing issue with Android apps both proprietary and downloaded from the Google Play store where security and privacy issues run rife.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020