An academic study that analyzed 82,501 apps that were pre-installed on 1,742 Android smartphones sold by 214 vendors concluded that users are woefully unaware of the huge security and privacy-related threats that come from pre-installed applications.
Researchers found that many of these pre-installed apps have access to very intrusive permissions out of the box, collect and send data about users to advertisers, and have security flaws that often remain unpatched.
On top of this, many pre-installed apps (also referred to as bloatware) can't be removed, and also use third-party libraries that secretly collect user data from within benign-looking and innocently-named applications.
The study is, by far, one of the most complex endeavors of its kind, and included both an analysis of device firmware, app behavior, and the internet traffic the apps generated.
One of the first things that researchers spotted was the incessant use of third-party libraries (or software development kits --SDKs) inside many pre-installed applications.
While using an SDK to simplify the coding of basic tasks is commonplace in the web, desktop, and mobile development community, researchers noted that the most commonly encountered third-party libraries were all advertising and user tracking-related.
The research team said it found 164 different advertising SDKs inside nearly 12,000 apps and an additional 100 different analytics libraries inside almost 7,000 apps.
This suggests that a large chunk of pre-installed apps are tracking users right from the get-go, from the moment they turn on their brand new Android smartphone.
The research team also found several hundreds of pre-installed apps that were signed with certificates that were either self-signed, or featured an "Issuer" field that contained generic terms such as "Android" (115 apps) or "Android Debug" (42 apps).
Usage of this type of generic certificates prevented investigators from finding out who developed tse apps that were being included with the devices they were testing.
Furthermore, some pre-installed apps were signed with certificates belonging to companies known to engage in user tracking --such as Adups, AccuWeather, or GMobi.
Researchers also looked at the permissions these pre-installed apps received, and more particularly at "custom permissions."
The term "custom permissions" refers to a type of permission level for the Android operating system that is set up by phone manufacturers. Vendors create custom permission schemes in which they provide bulk access to various OS features for pre-installed or preferred apps.
"An exhaustive analysis of custom permissions [...] suggests (and in some cases confirms) the presence of service integration and commercial partnerships between handset vendors, [mobile network operators], analytics services (e.g., Baidu, IronSource, DigitalTurbine, and Facebook), and online services (e.g., Skype, LinkedIn, Amazon, Spotify, CleanMaster, and Dropbox)," the research team said.
"We also found custom permissions associated with vulnerable modules (e.g., MediaTek) and harmful services (e.g., Adups)."
Furthermore, researchers also identified six different versions of the Facebook app, three of which were never available through the official Google Play Store.
"According to users' complaints, two of these packages (com.facebook.appmanager and com.facebook.system) seem to automatically download other Facebook software such as Instagram in users' phones [1, 2]."
But in addition to custom permissions, researchers also discovered that many apps also had access to way too many "standard" permissions, which the pre-installed apps didn't necessarily use and theoretically would remain as an open door for future abuse.
For example, researchers found 55 pre-installed apps that were granted access to more than 100 permissions, with one app (com.cube26.coolstore) having access to 144 permissions, while another app (com.jrdcom.Elabel) having 145 permissions.
According to researchers, the most used permission among apps that also embed a third-party SDK is the permission to read system logs, followed by the ability to mount/unmount storage space, and the ability to install other apps.
Academics also looked at pre-installed apps that exposed their internal components to other apps via an Android inter-app communication mechanism known as "intent."
Researchers said that of the 82,501 apps they analyzed, 6,849 left internal components exposed to external queries by other apps installed on the same device, and, inherently, exposed all their functions and permissions to lower-privileged apps --a well-documented attack vector.
The research team also took a fine tooth-comb to 3,118 pre-installed applications and analyzed the behavior of these apps and the data they were accessing.
Their findings found that the vast majority of pre-installed apps were coded to access device logs, get a list of local installed apps, get network settings, or had the ability to run native code.
Further, researchers looked at what domains these apps communicated with. The results of this query weren't surprising, as most pre-installed apps reported back to advertising and analytics vendors such as Alphabet (Google's parent company), Facebook, and Amazon.
All in all, researchers said that nearly all apps that were capable of accessing and collecting user data were actively using this access to send data to third-party servers.
"We also observed instances of hardware and network fingerprinting capabilities, often collected under the term 'device capability,' and also analytics services that track the installation and removal of apps (notably news apps,such as those made by CNBC, The Daily Beast, Bloomberg, TechCrunch, and The Economist, among others)," researchers said. "More intrusive behaviors include apps able to collect and send email and phone call metadata."
The research team's analysis also revealed some edge cases. For example, researchers found instances of known malware in the system partition of some devices, mostly in low-end smartphones, but also in some high-end handsets.
"We identified variants of well-known Android malware families that have been prevalent in the last few years, including Triada, Rootnik, SnowFox, Xinyin, Ztorg, Iop, and dubious software developed by GMobi," researchers said.
In addition, researchers also found a secretive data collection service put inside a FOTA (firmware-over-the-air) update mechanism developed by Redstone Sunshine Technology Co., Ltd..
"This app includes a service that can collect and disseminate dozens of data items, including both user and device identifiers, behavioral information (counts of SMS and calls sent and received, and statistics about network flows) and usage statistics and performance information preinstalled package," researchers said. "We emphasize that the data collected is not only remarkably extensive, but also very far away from being anonymous as it is linked to multiple user and device identities."
And last, but not least, researchers also identified 612 pre-installed apps that included factory/engineering-related code that granted the apps extremely deep access to the device and its operating system.
Most of these factory/engineering-related functions were harmless, researchers said, such as hardware tests, but some of the code could also root devices.
"As we demonstrated in this paper, this situation has become a peril to users' privacy and even security due to an abuse of privilege, such as in the case of pre-installed malware, or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors," the research team concluded about the state of Android pre-installed apps.
"Despite a full year of efforts, we were only able to scratch the surface of a much larger problem," they added. "This work is therefore exploratory, and we hope it will bring more attention to the pre-installed Android software ecosystem and its impact on users' privacy and security."
More details about their research are available in an academic paper named "An Analysis of Pre-installed Android Software" that will be presented at the IEEE Symposium on Security and Privacy in late May 2019.