INSUBCONTINENT EXCLUSIVE:
If you&ve ever bought an Android phone, there a good chance you booted it up to find it pre-loaded with junk you definitely didn&t ask
for.
These pre-installed apps can be clunky, annoying to remove, rarely updated… and, it turns out, full of security holes.
Security firm
Kryptowire built a tool to automatically scan a large number of Android devices for signs of security shortcomings and, in a study funded by
Department of Homeland Security, ran it on phones from 29 different vendors
Now, the majority of these vendors are ones most people have never heard of — but a few big names like Asus, Samsung and Sony make
appearances.
Kryptowire says they found vulnerabilities of all different varieties, from apps that can be forced to install other apps, to
tools that can be tricked into recording audio, to those that can silently mess with your system settings
Some of the vulnerabilities can only be triggered by other apps that come pre-installed (thus limiting the attack vector to those along the
supply chain); others, meanwhile, can seemingly be triggered by any app the user might install down the road.
Kryptowire has a full list of
observed vulnerabilities here, broken down by type and manufacturer
The firm says it found 146 vulnerabilities in all.
As Wired points out, Google is well aware of this potential attack route
In 2018 it launched a program called the Build Test Suite (or BTS) that all partner OEMs must pass
BTS scans a device firmware for any known security issues hiding amongst its pre-installed apps, flagging these bad apps as Potentially
Harmful Applications (or PHAs)
As Google puts it in its 2018 Android security report:
OEMs submit their new or updated build images to BTS
BTS then runs a series of tests that look for security issues on the system image
One of these security tests scans for pre-installed PHAs included in the system image
If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to
users.
During its first calendar year, BTS prevented 242 builds with PHAs from entering the ecosystem.
Anytime BTS detects an issue we work
with our OEM partners to remediate and understand how the application was included in the build
This teamwork has allowed us to identify and mitigate systemic threats to the ecosystem.
Alas, one automated system can&t catch everything
— and when an issue does sneak by, there no certainty that a patch or fix will ever arrive (especially on lower-end devices, where
long-term support tends to be limited).
We reached out to Google for comment on the report, but have yet to hear back.
Update —Google
response:
We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these.
