A research conducted by the researchers at IMDEA Networks Institute, Stony Brook University, Universidad Carlos III de Madrid, and ICSI, found that the pre-installed apps often send your personal data back to advertisers.
Most new Android smartphones come with bloatware preinstalled that could do far more than simply chew up your storage. The security researchers scanned the firmware of more than 2,700 consenting Android users around the world, creating a dataset of 82,501 pre-installed Android apps.
Many of these apps spied on their users, according to the research paper, accessing highly personal information. The researchers said:
"According to our flow analysis, these results give the impression that personal data collection and dissemination (regardless of the purpose or consent) is not only pervasive but also comes pre-installed."
Not only did preinstalled applications harvest geolocation information, personal email, phone call metadata and contacts, but some of them even monitored which applications users installed and opened. In many cases, personal information was funneled straight back to advertising companies.
Many of these preinstalled apps gather and communicate information using custom permissions, granted by the smartphone vendor or mobile network operator, which enabled them to perform actions that regular applications cannot.
Examples included preinstalled Facebook packages, some of which were unavailable on the regular Google Play store. These automatically downloaded other Facebook software such as Instagram, the researchers said. They also found Chinese applications exposing Baidu’s geolocation information, which could be used to locate users without their permission.
The researcher’s analysis suggests that many of these apps may be using custom permissions like these to harvest and exchange information as part of pre-defined data exchange agreements between companies.
"These actors have privileged access to system resources through their presence in pre-installed apps and embedded third-party libraries. Potential partnerships and deals – made behind closed doors between stakeholders – may have made user data a commodity before users purchase their devices or decide to install software of their own."
The paper singled out the people doing digital deals behind your back as smartphone vendors, mobile network operators, analytics services and online services companies.
The researchers also found malware libraries embedded in some preinstalled software. One such library, called Rootnik, has the ability to gain root access to a device, leak personally identifiable information, and install additional apps. The researchers added:
"According to existing AV reports, the range of behaviors that such samples exhibit encompass banking fraud, sending SMS to premium numbers or subscribing to services, silently installing additional apps, visiting links, and showing ads."
Google allows third-party companies to package and preinstall applications that they see fit onto their own versions of Android. In many cases that process is far from transparent, the paper warned.
The second problem is that many of the apps that make it through this process are self-signed. Mobile applications are supposed to prove their legitimacy by using digital certificates, but many developers simply create their own.
Some of these apps also use third-party libraries which may contain their own security or privacy issues. By granting custom permissions to an app, a smartphone vendor is also granting the same permissions to the third party library that is piggybacking on it.