A recent study examined pre-installed software that comes on Android devices and came to a startling conclusion. Due to the open source nature of Android and the ability to embed software in custom Android firmware versions, the study found that users are at greater risk of being hit with malware and having their data collected without their consent, for a number of reasons.
"This situation has become a peril to users’ privacy and even security due to an abuse of privilege, such as in the case of pre-installed malware, or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors," the study concluded.
Conducted by IMDEA Networks Institute, Universidad Carlos II de Madrid, Stony Brooks University, and ICSI, this is the first large-scale study (PDF) of pre-installed software on Android devices. The study encompasses more than 200 device manufacturers and 1,700 unique devices, hundreds of thousands of unique files (based on their MD5 hash), and 82,501 Android apps.
The study used anonymized traffic logs provided by more than 20,400 users from 144 countries. It looked for "potentially harmful or unwanted behaviors," whether on purpose or due to poor engineering and/or security controls. In addition to finding instances of known malware, (mostly in low end devices, but also in some high-end ones), the study's authors determined that companies installing custom firmware sometimes enable third-party access to user data.
"Users are clueless about the many private data-sharing relationships and partnerships that exist between the various companies that have a hand in deciding what comes pre-installed on their phones. Users’ activities, personal data, and habits may be constantly monitored by stakeholders that many users may have never heard of, let alone consented to collect their data," the authors stated.
It's not just smartphone makers that are culpable. According to the study, there are a "myriad of actors" ranging from hardware manufacturers to developers and advertisers. In some cases, they may secretly be working in partnership to extract certain data with a user's consent, the study claims.
There is no easy solution to this, though the study's authors propose forming a globally-trusted regulatory body to sign security and privacy certificates.