If you've ever bought an Android phone, there's a good chance you booted it up to find it pre-loaded with junk you definitely didn't ask for.
These pre-installed apps can be clunky, annoying to remove, rarely updated... and, it turns out, full of security holes.
Security firm Kryptowire built a tool to automatically scan a large number of Android devices for signs of security shortcomings and, in a study funded by the U.S. Department of Homeland Security, ran it on phones from 29 different vendors. Now, the majority of these vendors are ones most people have never heard of — but a few big names like Asus, Samsung and Sony make appearances.
Kryptowire says they found vulnerabilities of all different varieties, from apps that can be forced to install other apps, to tools that can be tricked into recording audio, to those that can silently mess with your system settings. Some of the vulnerabilities can only be triggered by other apps that come pre-installed (thus limiting the attack vector to those along the supply chain); others, meanwhile, can seemingly be triggered by any app the user might install down the road.
Kryptowire has a full list of observed vulnerabilities here, broken down by type and manufacturer. The firm says it found 146 vulnerabilities in all.
As Wired points out, Google is well aware of this potential attack route. In 2018 it launched a program called the Build Test Suite (or BTS) that all partner OEMs must pass. BTS scans a device's firmware for any known security issues hiding amongst its pre-installed apps, flagging these bad apps as Potentially Harmful Applications (or PHAs). As Google puts it in its 2018 Android security report:
OEMs submit their new or updated build images to BTS. BTS then runs a series of tests that look for security issues on the system image. One of these security tests scans for pre-installed PHAs included in the system image. If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users.
During its first calendar year, BTS prevented 242 builds with PHAs from entering the ecosystem.
Anytime BTS detects an issue we work with our OEM partners to remediate and understand how the application was included in the build. This teamwork has allowed us to identify and mitigate systemic threats to the ecosystem.
Alas, one automated system can't catch everything — and when an issue does sneak by, there's no certainty that a patch or fix will ever arrive (especially on lower-end devices, where long-term support tends to be limited).
We reached out to Google for comment on the report, but have yet to hear back.
Update — Google's response:
We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these.