146 Security Flaws Found In Pre-Installed Apps From Android Phone Manufacturers

Evil Android

Android is an open ecosystem, allowing phone manufacturers to put their own apps before shipping their devices to customers.

Unlike Google's Pixel phones that promises stock Android user experience, Android phone manufacturers can customize their phones to meet specific needs, by adding themes, skins, functionalities or apps, on top of the stock Android.

And here, researchers found that not only manufacturers' apps are bloatware, but also filled with security flaws.

To be exact, 146 flaws were found inside pre-installed apps from Android phone manufacturers.

Discovered by researchers at Kryptowire, the flaws were found to be present across apps from 29 Android OEMs (Original Equipment Manufacturers).

Funded by the Department of Homeland Security, the researchers suggest that the security and privacy issues range from unauthorized app installs to the ability to modify system and wireless settings, and even record audio.

146 Android flaws
The vulnerability types found on the 146 flaws. (Credit: Kryptowire)

According to Kryptowire on its findings:

"Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide."

Underscoring the vast scope of the problem, the OEMs include well-known companies, like ASUS, Samsung, and Xiaomi.

After the discovery went public, Samsung quickly disputed the findings.

In a statement to Wired, the South Korean conglomerate giant stated that "we have promptly investigated the apps in question and have determined that appropriate protections are already in place.”

Google too has its own security procedure to prevent flawed apps to spread. Google has leveraged a system called Build Test Suite (BTS) to scan for potentially harmful pre-installed apps across custom Android builds for devices that ship with its services.

146 Android flaws
The vendors affected by the 146 flaws. (Credit: Kryptowire)

As the company explains in its 'Android Security 2018 Year in Review' report released earlier this March:

"OEMs submit their new or updated build images to BTS. BTS then runs a series of tests that look for security issues on the system image. One of these security tests scans for pre-installed PHAs included in the system image. If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users."

But still, despite the companies' security checks in place, the researchers suggest that questionable apps managed to continue slipping through the crack.

What makes the situation difficult to solve by users is because the apps are OEM apps. Because they pre-installed right from the factory, the apps cannot be uninstalled like third-party apps. And making things even worse, there is no saying when these apps will be patched or fixed.

Google, for its part, has been actively trying to weed out harmful apps from its Google Play Store.

Just recently, Google formed 'Defense Alliance' by partnering with ESET, Lookout, and Zimperium to identify shady third-party apps before they end up on users’ devices.