It was only a month ago that pre-installed malware was discovered on Android-based Alcatel smartphones, and other such security flaws are no stranger to apps found on Google’s own Play Store.
But a recent study analyzing pre-installed Android software has found that many vendors that provide their own version of the open-source operating system abuse the platform in order to release products with integrated data collecting services.
The analysis was conducted by IMDEA Networks Institute, Universidad Carlos II de Madrid, Stony Brooks University and ICSI, and covered more than 200 device manufacturers, 1,700 devices, and 82,000 pre-installed apps.
This study concluded that, whether through deliberate misuse or poor practices, companies creating their own Android-based firmware for smartphones had a tendency to enable third-party access to user data in its software and, furthermore, hide such activity from the user.
“This situation has become a peril to users’ privacy and even security”, the paper claims, “due to an abuse of privilege, such as in the case of pre-installed malware, or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors.”
The analysis found that it wasn’t just the smartphone manufacturer responsible for such transgressions, but a “myriad of actors” ranging from software developers to advertisers and that these parties are potentially involved in secret partnerships.
“Users’ activities, personal data, and habits may be constantly monitored by stakeholders that many users may have never heard of, let alone consented to collect their data,” the study finds.
As for solutions to the lack of transparency that these researchers uncovered, they suggest the introduction of an objective “globally-trusted” regulatory body that would sign software certificates rather than the vendors themselves, as well as clear and public documentation of pre-installed apps, their purpose, and the entity responsible for them.
Google has responded to TechCrunch on the issue, claiming that the report’s methodology “is unable to differentiate pre-installed system software […] from malicious software that has accessed the device at a later time”, and that the company works closely with, and provides tools for, its partners in order to protect against software that violates its policies.