Pre-installed apps on cheap Android phones pose serious security risks

In a study funded by the U.S. Department of Homeland Security, Kryptowire discovered serious security risks posed by pre-installed apps on cheap Android smartphones. These apps have potentially malicious activities, such as secretly recording audio, changing settings without user permission, and even granting themselves new permissions - which is obviously inseparable from the firmware of Android device manufacturers and carriers.

With the help of the new tool, Kryptowire was able to scan for vulnerabilities in the firmware without having to touch the phone itself. In the end, 146 security risks were found on Android devices from 29 manufacturers.

When asked why they specifically targeted cheap Android devices for software security investigations, Kryptowire CEO Angelos Stavrou explained in an email that this was directly related to Google's management attitude towards its products.

Google may require more thorough code analysis of software products that enter its Android ecosystem and take on the responsibilities that vendors should have.

Policymakers should now require the company to take responsibility for the security of end-user information rather than putting it at risk.

In response, Google also said in an email that it appreciates the cooperation and research work that responsibly addresses and discloses such issues.

As Kryptowire's research found, preinstalled apps are typically small, unbranded third-party software that is embedded into the preinstalled functionality of larger brand manufacturers.

However, these types of apps can easily pose a significant security threat because they have much greater permissions than other types of apps and are difficult to delete.

At the 2017 Black Hat cybersecurity conference in Las Vegas, Kryptowire disclosed a similar security threat in cheap phones made by Shanghai Adups Technology.

The phone's pre-installed software was found to send users' device data to the company's servers in Shanghai without alerting them, an issue it later claimed had been resolved.

In 2018, Kryptowire released a study on pre-installed firmware flaws in 25 entry-level Android models. In the same year, Google launched the Test Suite to partially address this issue.

Although Kryptowire revelations are unavoidable every year, Stavrou believes that Google's overall security strategy has improved.

"Protecting the software supply chain is a very complex problem that Google and the security research community have been working hard to solve," he said.

During a presentation at this year’s Black Hat security conference (Black Hat 2019), Google security researcher Maddie Stone said:

"There are 100 to 400 common pre-installed apps on Android devices. From the perspective of a malicious actor, he only needs to convince one company to package a malicious app, rather than convincing thousands of users."