At this point we seem to have become nearly immune to the knowledge that there are malicious apps on the Google Play store. But what about those apps that are preinstalled on your Android?
The security research firm Kryptowire has found nearly 150 potentially malicious apps preinstalled on Android phones that are cheaply produced. You may think all Androids are the same, but they are not.
Preinstalled App Vulnerabilities
Through research that was funded by the United States Department of Homeland Security, Kryptowire found 146 preinstalled Android apps were secretly recording audio and changing phone settings. Sometimes the apps were even granting themselves the permissions to carry out these tasks.
Having carried out this research nearly every year before, Kryptowire found the vulnerabilities in manufacturer and carrier firmware shipped by 29 manufacturers, though the phone manufacturers were not disclosed. They did this with a new tool that scans firmware and searches for vulnerabilities without a physical phone being required.
Kryptowire CEO Angelos Stavrou believes there needs to be greater accountability on the part of Google. He believes “Google can demand more thorough code analysis and vendor responsibility for their software products that enter the Android ecosystems.”
“Legislators and policy-makers should demand that companies are accountable for putting the security and personal information of end-users at risk.”
As it is, preinstalled apps carry a significantly larger security threat, as they are typically given more freedom than other types of apps to operate on a phone. They can be more difficult to remove as well.
Two years ago Kryptowire exposed similar security threats on Shanghai Adups Technology Android phones. It was discovered that the preinstalled software was sending device data to the company’s server in Shanghai unbeknownst to users. The company has said they resolved the issue last year.
Despite still finding similar vulnerabilities, Stavrou believes there is still some improvement with Google’s overall strategy.
“Securing the software supply chain is a very complex problem, and Google and the security research community are always making advances to address the problem,” he explained.
Android vs. Apple
Maddie Stone, a Google security researcher, said in a Black Hat 2019 presentation that an Android device can have anywhere from 100 to 400 preinstalled apps. If you’re a hacker, she noted, you “only have to convince one company to include your app, rather than thousands of users.”
That makes a lot of sense and is why you don’t find that in Apple. A hacker is not going to convince Apple to include its malicious software on an iPhone, making iPhones more secure for that reason: they’re just one manufacturer.
But if Android phone manufacturers operated the same way, you wouldn’t have all those apps pre-installed and would only have a small number similar to what iPhones include, and it wouldn’t be the same experience. Even though you know Android phones are more vulnerable, will you choose to stick with it as your preferred mobile OS? Tell us in the comments below.