If you’ve ever bought a low-to-mid range Android phone, there’s a good chance you booted it up to find it pre-loaded with junk you definitely didn’t ask for.
These pre-installed apps can be clunky, annoying to remove, rarely updated… and, it turns out, full of security holes. Security firm Kryptowire built a tool to automatically scan a large number of Android devices for signs of security shortcomings and, in a study funded by the US Department of Homeland Security, ran it on phones from 29 different vendors. Now, the majority of these vendors are ones most people have never heard of — but a few big names like Asus, Samsung, and Sony make appearances. Kryptowire says they found vulnerabilities of all different varieties, from apps that can be forced to install other apps, to tools that can be tricked into recording audio, to those can silently mess with your system settings. Some of the vulnerabilities can only be triggered by other apps that come pre-installed (thus limiting the attack vector to those along the supply chain); others, meanwhile, can seemingly be triggered by any app the user might install down-the-road. Kryptowire has a full list of observed vulnerabilities here, broken down by type and manufacturer. The firm says it found 146 vulnerabilities in all. As Wired points out, Google is well aware of this potential attack route. In 2018 it launched a program called the Build Test Suite (or ‘BTS’) that all partner OEMs must pass. BTS scans a device’s firmware for any known security issues hiding amongst its pre-installed apps, flagging these bad apps as ‘Potentially Harmful Applications’ (or ‘PHAs’). As Google puts it in its 2018 Android security report:OEMs submit their new or updated build images to BTS. BTS then runs a series of tests that look for security issues on the system image. One of these security tests scans for pre-installed PHAs included in the system image. If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users. During its first calendar year, BTS prevented 242 builds with PHAs from entering the ecosystem. Anytime BTS detects an issue we work with our OEM partners to remediate and understand how the application was included in the build. This teamwork has allowed us to identify and mitigate systemic threats to the ecosystem.Alas, one automated system can’t catch everything — and when an issue does sneak by, there’s no certainty that a patch or fix will ever arrive (especially on lower end devices, where longterm support tends to be limited.) We reached out to Google for comment on the report, but have yet to hear back.