Android users beware: 146 bugs found in preinstalled apps

Security research firm Kryptowire has again exposed a hive of potentially malicious activity by preinstalled apps on cheaply produced Android phones. In research funded by the US Department of Homeland Security, the firm found apps secretly recording audio, changing phone settings without user permission, and even granting themselves new permissions.

Kryptowire's research is the latest in what's become a near-annual detailing of the pervasive security threats posed by manufacturer and carrier firmware found on Android devices. This year Kryptowire found 146 new vulnerabilities on phones shipped by 29 manufacturers, using a new tool that scans firmware for vulnerabilities without requiring a physical phone. Six preinstalled apps on Samsung devices accounted for 33 of the vulnerabilities.

When asked what could put an end to this ecosystem of cheaply produced and often dangerous software, Kryptowire CEO Angelos Stavrou pointed toward greater product accountability by Google.

"Google can demand more thorough code analysis and vendor responsibility for their software products that enter the Android ecosystems," Stavrou said in an email. "Legislators and policy makers should demand that companies are accountable for putting the security and personal information of end-users at risk."

Google didn't immediately respond to CNET's request for comment.

Preinstalled apps like those found in Kryptowire's research are often small, brandless pieces of third-party software tucked into the functions of larger, branded manufacturer apps. Preinstalled apps are a particularly significant security threat, as they normally have more freedom to operate on a user's phone than other types of apps, and can be more difficult for a user to remove.

At the 2017 Black Hat cybersecurity conference in Las Vegas, Kryptowire exposed similar security threats in the inexpensive phones produced by Shanghai Adups Technology, whose preinstalled software was found to send users' device data to the company's server in Shanghai without alerting those users. The company said the issue had been resolved. In 2018, Kryptowire released research into the preinstalled firmware flaws of 25 cheaply produced Android models -- the same year Google launched its Test Suite, in part to address these types of problems.

Despite the near-annual recurrence of Kryptowire's vulnerability exposés, Stavrou sees an arc of improvement in Google's overall security strategy.

"Securing the software supply chain is a very complex problem, and Google and the security research community are always making advances to address the problem," he said.

In a  Black Hat 2019 presentation, Google security researcher Maddie Stone said an Android device often has 100 to 400 preinstalled apps. If you're a malicious actor, you "only have to convince one company to include your app, rather than thousands of users," Stone said in the presentation.