Researchers only “scratching the surface” of a pervasive Android bloatware issue

Pre-installed Android apps for third parties pose security and privacy risks

Smartphone hacking picture

Researchers have discovered a dangerous trend concerning Android phone manufacturers whereby third-parties will pay to install pre-loaded apps containing potentially harmful code.

These third parties could be mobile network operators or other third-party advertising companies which will install different apps at the supply chain level so manufacturers can squeeze a little extra revenue out of each device sold.

The most dangerous cases where when malware was actually installed from these proprietary apps introduced by third parties. The researchers noted that such infections typically occurred in the low-end range of phones, but it was also evident in some high-end phones too.

"We identified variants of well-known Android malware families that have been prevalent in the last few years, including Triada, Rootnik, SnowFox, Xinyin, Ztorg, Iop, and dubious software developed by GMobi," read the research paper.

"According to existing AV reports, the range of behaviours that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads, among others."

Advertisement
Advertisement - Article continues below

In addition to the malware-laden apps, researchers found that many apps also had access to personally identifiable information (PII) and these appeared to distribute said information to third parties.

Other intrusive behaviours observed include apps being able to collect and distribute email and phone call metadata to third parties; this data could include contact details and recipients which can inform leads used by marketers.

The data analysed by university researchers from the US and Spain was based on information provided by 2,748 volunteers using 1,742 different Android devices.

It's not just security issues that Android users are facing, the researchers point to a much wider chain of partnerships between handset vendors, network carriers, analytics services and online services such as Skype and Dropbox.

These far-reaching partnerships "suggest and in some cases confirm" instances where the companies you trust the most, namely Samsung, Huawei and Sony are knowingly granting permissions which circumvent Android's prevention of apps accessing sensitive data to third-party apps.

For example, Chinese tech giant Baidu's geo-location permission can be exposed and circumvented by third-party apps, meaning your location data could be accessed by an app which you didn't explicitly approve.

Facebook has also been found to download other associated software such as Instagram after permissions were circumvented in 24 Android vendors including Samsung, Asus, Xiaomi, HTC, Sony and LG.

The researchers say that after a full year, they've only just begun to scratch the surface of a much wider issue surrounding the Android device supply chain and the effect it's having on user security and privacy.

In terms of how to rectify the situation, the researchers speculate on a few possibilities. "Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs."

"Alternatively, in absence of self-regulation, governments and regulatory bodies could step in and enact regulations and execute enforcement actions that wrest back some of the control from the various actors in the supply chain."

Advertisement
Advertisement - Article continues below

Google's Play Protect is Android's built-in malware protection against nefarious apps and is "backed by the strength of Google's machine learning algorithms, it is always improving in real time", according to its web page.

We approached Google for comment on the extent to which Play Protect can mitigate the threats imposed by these pre-installed apps but it did not immediately reply to our emails.

The discovery highlights the prevailing issue with Android apps both proprietary and downloaded from the Google Play store where security and privacy issues run rife.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019