Researchers at Kryptowire have uncovered 146 security vulnerabilities in pre-installed apps across 29 Android OEMs (aka original equipment manufacturers), underscoring the vast scope of the problem. The shortcomings discovered in the study — funded by the Department of Homeland Security — range from unauthorized app installs to the ability to modify system and wireless settings, and even record audio. More troubling, it includes apps from some well-known OEMs like Asus, Samsung, and Xiaomi. Samsung disputed the findings in a statement to Wired, stating “we have promptly investigated the apps in question and have determined that appropriate protections are already in place.” Since last year, Google has leveraged a system called Build Test Suite (BTS) to scan for potentially harmful pre-installed apps across custom Android builds for devices that ship with its services. As the company explains in its “Android Security 2018 Year in Review” report released earlier this March: But despite these security checks in place, questionable apps continue to slip through the cracks, as evidenced by Kryptowire’s research. What makes the present situation more insidious is the fact that these are OEM apps. When third-party apps downloaded by users are found to contain malware, they can at least be removed from the infected phones. With pre-installed apps, on the other hand, there is no option to get rid of the offended functionality. Worse, there’s no guarantee that OEMs will even issue a patch for older devices. Google, for its part, has been actively tring to weed out harmful apps from the platform. It recently partnered with ESET, Lookout, and Zimperium to identify shady third-party apps before they end up on users’ devices. Perhaps it’s time to apply the same stingent checks for OEM-made apps too.
