Preinstalled Android apps are harvesting and sharing your data

When you buy a brand-new smartphone, there’s that precious moment just after you take it out of the box when it is shiny and clean, unsullied by dirty software that could endanger your data. Or so you thought. New research reveals that the bloatware preinstalled on many new Android phones could do far more than simply chew up your storage.

Many Android phones ship with software that has been pre-installed by the smartphone vendor. Researchers at IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University, and ICSI scanned the firmware of more than 2,700 consenting Android users around the world, creating a dataset of 82,501 pre-installed Android apps.

Many of these apps spied on their users, according to the research paper, accessing highly personal information. The researchers said:

According to our flow analysis, these results give the impression that personal data collection and dissemination (regardless of the purpose or consent) is not only pervasive but also comes pre-installed.

What data are these apps collecting?

Not only did preinstalled applications harvest geolocation information, personal email, phone call metadata and contacts, but some of them even monitored which applications users installed and opened. In many cases, personal information was funneled straight back to advertising companies.

Many of these preinstalled apps gather and communicate information using custom permissions, granted by the smartphone vendor or mobile network operator, which enabled them to perform actions that regular applications cannot.

Examples included preinstalled Facebook packages, some of which were unavailable on the regular Google Play store. These automatically downloaded other Facebook software such as Instagram, the researchers said. They also found Chinese applications exposing Baidu’s geolocation information, which could be used to locate users without their permission.

The researcher’s analysis suggests that many of these apps may be using custom permissions like these to harvest and exchange information as part of pre-defined data exchange agreements between companies:

These actors have privileged access to system resources through their presence in pre-installed apps and embedded third-party libraries. Potential partnerships and deals – made behind closed doors between stakeholders – may have made user data a commodity before users purchase their devices or decide to install software of their own

The paper singled out the people doing digital deals behind your back as smartphone vendors, mobile network operators, analytics services and online services companies. We recently wrote about the apps that secretly share information with Facebook.

The researchers also found malware libraries embedded in some preinstalled software. One such library, called Rootnik, has the ability to gain root access to a device, leak personally identifiable information, and install additional apps. The researchers added:

According to existing AV reports, the range of behaviors that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads.

How do these apps make their way onto Android phones?

There are several contributing factors. First is that Google allows third-party companies to package and preinstall applications that they see fit onto their own versions of Android. In many cases that process is far from transparent, the paper warned.

The second compounding problem is that many of the apps that make it through this process are self-signed. Mobile applications are supposed to prove their legitimacy by using digital certificates, but many developers simply create their own. It’s a bit like giving your own name as a reference when applying for a job.

Some of these apps also use third-party libraries which may contain their own security or privacy issues. By granting custom permissions to an app, a smartphone vendor is also granting the same permissions to the third party library that is piggybacking on it.

All of which is to say that if you buy an Android phone, you may well be getting more than you signed up for.