146 Vulnerabilities Found in Preinstalled Android Apps

News Android Vulnerabilities Featured

At this point we seem to have become nearly immune to the knowledge that there are malicious apps on the Google Play store. But what about those apps that are preinstalled on your Android?

The security research firm Kryptowire has found nearly 150 potentially malicious apps preinstalled on Android phones that are cheaply produced. You may think all Androids are the same, but they are not.

Preinstalled App Vulnerabilities

Through research that was funded by the United States Department of Homeland Security, Kryptowire found 146 preinstalled Android apps were secretly recording audio and changing phone settings. Sometimes the apps were even granting themselves the permissions to carry out these tasks.

Having carried out this research nearly every year before, Kryptowire found the vulnerabilities in manufacturer and carrier firmware shipped by 29 manufacturers, though the phone manufacturers were not disclosed. They did this with a new tool that scans firmware and searches for vulnerabilities without a physical phone being required.

Kryptowire CEO Angelos Stavrou believes there needs to be greater accountability on the part of Google. He believes “Google can demand more thorough code analysis and vendor responsibility for their software products that enter the Android ecosystems.”

“Legislators and policy-makers should demand that companies are accountable for putting the security and personal information of end-users at risk.”

News Android Vulnerabilities Phone

As it is, preinstalled apps carry a significantly larger security threat, as they are typically given more freedom than other types of apps to operate on a phone. They can be more difficult to remove as well.

Two years ago Kryptowire exposed similar security threats on Shanghai Adups Technology Android phones. It was discovered that the preinstalled software was sending device data to the company’s server in Shanghai unbeknownst to users. The company has said they resolved the issue last year.

Despite still finding similar vulnerabilities, Stavrou believes there is still some improvement with Google’s overall strategy.

“Securing the software supply chain is a very complex problem, and Google and the security research community are always making advances to address the problem,” he explained.

Android vs. Apple

Maddie Stone, a Google security researcher, said in a Black Hat 2019 presentation that an Android device can have anywhere from 100 to 400 preinstalled apps. If you’re a hacker, she noted, you “only have to convince one company to include your app, rather than thousands of users.”

That makes a lot of sense and is why you don’t find that in Apple. A hacker is not going to convince Apple to include its malicious software on an iPhone, making iPhones more secure for that reason: they’re just one manufacturer.

But if Android phone manufacturers operated the same way, you wouldn’t have all those apps pre-installed and would only have a small number similar to what iPhones include, and it wouldn’t be the same experience. Even though you know Android phones are more vulnerable, will you choose to stick with it as your preferred mobile OS? Tell us in the comments below.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. “Kryptowire CEO Angelos Stavrou believes there needs to be greater accountability on the part of Google.”
    Let’s get real here. With every entity, A to Z, profiting from the harvested data, it will be a cold day in Hades before any action is taken. I wonder how much Google is paid by its partners to overlook sketchy apps in its Store.

    Unfortunately, even IF Google were sued for $Billions and lost, it would have no deterrent effect on them. They can easily absorb that kind of fine and write it off a cost of doing business. Didn’t EU recently Google with a $5 billion fine? Has the fine had any effect on Google? Or is it business as usual?

  2. One solution, perhaps only a part solution, is to root any device that you buy. Then you get only the apps that you want/need. That would cut down, probably not cut out all though, on the scumbag thieves hacking our data and our privacy.

    That’s why I don’t use a cellphone for calls. Landlines all the way. Any texts I send don’t have any real info of any great import. That’s why I don’t get scammers calling but my wife does. Her solution, get rid of the OPPO and buy an iPhone. Can’t convince HER that it is her actions that are the problem not the phone in her case. Give your number out to all and sundry and within weeks the calls start happening all over again.

    Numbers in my phone are all verified, any unverified number gets automatically sent to junk.

    1. But your solution has one major flaw: the Internet is not the only way for scammers and mobile options to find you. My elderly father with dementia fell victim to a scam this year after my mom died. He does not use a cell phone, and he does not use a computer. He fell victim to a popular scam that his investment company said is popular and run out of Jamaica. One of their methods for getting contact information is to comb the obits. They look for recently widowed older people to scam. Additionally, in researching the scam I found another victim of the same scam was a bigwig with the FBI. He didn’t fall for it, no, but they still found him, and I’d be surprised if he wasn’t using completely secure methods. So anyone is potentially a victim. We have changed my father’s phone number, and he is still getting scammers calling him. Please don’t think you are safe just because you don’t use your cellphone for calls or important texts and because number are all verified. They find you many, many ways, not just through cell phones and the Internet.

Comments are closed.