Sophos Cloud Optix
When you buy a brand-new smartphone, there’s that precious moment just after you take it out of the box when it is shiny and clean, unsullied by dirty software that could endanger your data. Or so you thought. New research reveals that the bloatware preinstalled on many new Android phones could do far more than simply chew up your storage.
Many Android phones ship with software that has been pre-installed by the smartphone vendor. Researchers at IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, and ICSI scanned the firmware of more than 2,700 consenting Android users around the world, creating a dataset of 82,501 pre-installed Android apps.
Many of these apps spied on their users, according to the research paper, accessing highly personal information. The researchers said:
According to our flow analysis, these results give the impression that personal data collection and dissemination (regardless of the purpose or consent) is not only pervasive but also comes pre-installed.
What data are these apps collecting?
Not only did preinstalled applications harvest geolocation information, personal email, phone call metadata and contacts, but some of them even monitored which applications users installed and opened. In many cases, personal information was funneled straight back to advertising companies.
Many of these preinstalled apps gather and communicate information using custom permissions, granted by the smartphone vendor or mobile network operator, which enabled them to perform actions that regular applications cannot.
Examples included preinstalled Facebook packages, some of which were unavailable on the regular Google Play store. These automatically downloaded other Facebook software such as Instagram, the researchers said. They also found Chinese applications exposing Baidu’s geolocation information, which could be used to locate users without their permission.
The researcher’s analysis suggests that many of these apps may be using custom permissions like these to harvest and exchange information as part of pre-defined data exchange agreements between companies:
These actors have privileged access to system resources through their presence in pre-installed apps and embedded third-party libraries. Potential partnerships and deals – made behind closed doors between stakeholders – may have made user data a commodity before users purchase their devices or decide to install software of their own
The paper singled out the people doing digital deals behind your back as smartphone vendors, mobile network operators, analytics services and online services companies. We recently wrote about the apps that secretly share information with Facebook.
The researchers also found malware libraries embedded in some preinstalled software. One such library, called Rootnik, has the ability to gain root access to a device, leak personally identifiable information, and install additional apps. The researchers added:
According to existing AV reports, the range of behaviors that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads.
How do these apps make their way onto Android phones?
There are several contributing factors. First is that Google allows third-party companies to package and preinstall applications that they see fit onto their own versions of Android. In many cases that process is far from transparent, the paper warned.
The second compounding problem is that many of the apps that make it through this process are self-signed. Mobile applications are supposed to prove their legitimacy by using digital certificates, but many developers simply create their own. It’s a bit like giving your own name as a reference when applying for a job.
Some of these apps also use third-party libraries which may contain their own security or privacy issues. By granting custom permissions to an app, a smartphone vendor is also granting the same permissions to the third party library that is piggybacking on it.
All of which is to say that if you buy an Android phone, you may well be getting more than you signed up for.
Why aren’t you naming names? Which manufactures are the worst with this? Although I guess this is part of why I chose Google’s Pixel devices for vanilla Android.
There are names in the paper, where the authors felt it was appropriate to say what they were. (Sometimes, names were omitted and reasons given.) So the best way to find the names is in their original context. Plus, we didn’t write the paper so it’s good to give the original authors some click love. The link’s in the article but here it is again for completeness:
https://haystack.mobi/papers/preinstalledAndroidSW_preprint.pdf
Don’t be lazy and say “there’s the source, go look it up.” List the names, make an attempt to get comment from the listed manufacturers, and do the diligence required of journalism.
For one, the information in the source could be changed or deleted by the time we see this article. By the time a reader here looks, the information could be gone. Good journalism also involves preservation of information for future readers.
And two, I don’t work for one of the largest security firms in the world. I’m not clicking on some PDF file (which be altered and unsafe, by the time I download it) at a location I can’t vet with the same resources as an employee of Sophos. That’s YOUR job.
I’m beginning to get a sense of why “fake news” is such a big thing these days, if people expect others to do their research and interpretation for them, and actively – passionately, even! – refuse to consult primary sources.
That’s a world that worries me: one where repetition makes truth and where no one checks for mistakes or is willing to form an opinion of their own.
You’re already giving weight to the “Researchers at IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, and ICSI” by sharing their paper and providing commentary. I made the point that doing so, without an accurate retelling of salient information, is an incomplete effort. I made other points, too.
Right on! Without names it is hearsay and gossip. We need names!!
Actually, hearsay is where you repeat someone else’s claims as if they were your own. (Gossip is where you just make the whole thing up and pretend you have facts.)
The details are in the paper, as already mentioned, including an explanation of who was named and who wasn’t, and why. There’s not a whole lot of point in us just repeating the names as though we wrote the paper ourselves – if you really need the names, I urge you to consult the primary source and interpret the results for yourself. Link in article and shown in an earlier comment.
Actually, hearsay is information received through another that cannot be substantiated and gossip is not necessarily making things up without facts- it involves idle conversation about others and may or may not be true.
In my book, saying something that “may or not be true” as if it were true is equivalent to “making stuff up” :-)
You’re supposed to be protecting my Android phone but I’m. Or confused than ever. How do I know you are not a hack?
turning off background data usually does the trick.
Makes it even sadder that Linux for Mobile seems to have died the death.
I buy a PC, load an O/S then load the applications I want and the whole lot is kept up to date (and reasonably in step) for enhancements and security issues
Why can’t I do the same with a mobile phone?
Linux for mobile is coming in the summer, in the form of the Librem 5.
I’m interested. But it sounds (correct me if I am wrong) as though you will need a high-end phone to try it out – it’s sounds as though not going to compete in deployability terms with Android Go (Go easy on the memory!) plus Project Treble (one Android ROM to rule them all). So unless and until it’s suitable for a daily driver, it’s going to struggle to get exposure in the ‘second phone’ world.
I have an $80 Nokia 1 and it’s great for having AOSP 9 knocking around, tiny enough to carry all the time, and useful enough to use without a SIM. But it doesn’t sound as though Librem 5 will get anywhere near that sort of device…
The Librem 5 is a phone, and it is expensive. No two ways about that. It’s not just a linux os, there’s things like hardware kill switches for gps, camera, microphone…
I have paid a large amount of your human currency to obtain one and hopefully the fact that people will pay this much can reinvigorate the movement for linux on the phone.
They do not mention the Amazon Kindle Fire, but I suppose the same is implied.
Also seems Amazon has much looser Privacy practices for its apps. I have one that keeps collecting data for 30 months AFTER it has been uninstalled! (One of those moments when I uninstalled blindly Accepting…Doh!!)
Very interesting!
The fact is you made us get even more confused. You pointed out fact people have been suspecting but you never give a name or list of all apps your security app Sophos and hitman had dealt with or solution to that effect. Your story may push me to root my phone now and get this app out yet in your best practice rooting is even more dangerous. I need a solution and that solution you really had not provided. I am battling apps that wake up like zombies even when I short them down. The bottom line is I will root my phone and get this suspected apps off my phone and re-install my Sophos and Play store after that. Since you had no solution I will deal with it the old fashion way as I have mentioned.
What the hell privacy is of the utmost importance. Who the hell are you people to say otherwise, some people have served in the armed forces. Some may have been material witnesses to crime. But yet you don’t take their safety into consideration this is a fallacy do something about it
Is there anything we can do about it?
AFAIK, in many modern Android distros you can now remove some or all of the preinstalled apps without rooting your phone. You can also use the Apps option in Settings to [FORCE STOP] and then [DISABLE] many apps that can’t be uninstalled. So although you don’t get the disk space back, the app doesn’t start up any more.
Why not mention OEMs such as Google (and a couple others) who may provide a better experience when it comes to security? For the average person, this article seems to provide a fear mongering tactic and bias toward all Android devices.
Well, Google has made a big play in the past about how you “don’t need an anti-virus on Android”, and how safe Google Play is for Android users (indeed, it’s better than a free-for-all app marketplace, but it’s far from perfect, as many recent Naked Security and Sophos News articles suggest). Google isn’t really “an OEM” here – it’s the custodian and the licensor of the whole ecosystem…
…perhaps better controls over pre-installed apps are warranted?
Ubuntu Touch by UBPorts is available now for certain hardware, as well as an open beta available now from e foundation, both not based on android or ios.
The /e/ (e Foundation) project *is* based on Android, though they describe it as a ‘degoogled’ version – it started as a fork of Lineage OS 14.1. Lineage itself without Gapps is worth a look if you want a degoogled Android but the OP was looking for Linux in the not-actually-Android-at-all sense.
Ubuntu Touch and other Linux distros including postmarketOS can apparently now run on the Pinephone developer kits – an open source phone aimed at costing $150 that “will strictly be running mainline Linux” and may be available ‘this year”. So they say. Fun stuff but it’s still a lot of string and gaffer tape right now.
Is thos on all Android phones or just the newest models. I’ve got a Samsung S6 is this affected too ??
The details of which vendors were checked out (the list is long which is one reason we didn’t repeat it here) is in the paper…
The issue is bigger than the report, of course, because the researchers couldn’t try every model from every country (apps can vary by region) on every network (different carriers boost up their phones differently).
I’d recommend, whichever phone you have, disabling any apps you don’t use, if your phone won’t let you actually remove them. Go to Settings → Apps and click into each app you don’t need in turn. You can [FORCE STOP] them and then use [DISABLE] or [UNINSTALL] as appropriate.