Security research firm Kryptowire has again exposed a hive of potentially malicious activity by preinstalled apps on cheaply produced Android phones. In research funded by the US Department of Homeland Security, the firm found apps secretly recording audio, changing phone settings without user permission and even granting themselves new permissions.
Kryptowire's research is the latest in what's become a near-annual detailing of the pervasive security threats posed by manufacturer and carrier firmware found on Android devices. This year Kryptowire found 146 new vulnerabilities on phones shipped by 29 manufacturers, using a new tool that scans firmware for vulnerabilities without requiring a physical phone.
When asked what could put an end to this ecosystem of cheaply produced and often dangerous software, Kryptowire CEO Angelos Stavrou pointed toward greater product accountability by Google.
"Google can demand more thorough code analysis and vendor responsibility for their software products that enter the Android ecosystems," Stavrou said in an email. "Legislators and policy makers should demand that companies are accountable for putting the security and personal information of end-users at risk."
In an email Google said, "We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these."
Preinstalled apps like those found in Kryptowire's research are often small, brandless pieces of third-party software tucked into the functions of larger, branded manufacturer apps. Preinstalled apps are a particularly significant security threat, as they normally have more freedom to operate on a user's phone than other types of apps, and can be more difficult for a user to remove.
At the 2017 Black Hat cybersecurity conference in Las Vegas, Kryptowire exposed similar security threats in the inexpensive phones produced by Shanghai Adups Technology, whose preinstalled software was found to send users' device data to the company's server in Shanghai without alerting those users. The company said the issue had been resolved. In 2018, Kryptowire released research into the preinstalled firmware flaws of 25 cheaply produced Android models, the same year Google launched its Test Suite, in part to address these types of problems.
Despite the near-annual recurrence of Kryptowire's vulnerability exposés, Stavrou sees an arc of improvement in Google's overall security strategy.
"Securing the software supply chain is a very complex problem, and Google and the security research community are always making advances to address the problem," he said.
In a Black Hat 2019 presentation, Google security researcher Maddie Stone said an Android device often has 100 to 400 preinstalled apps. If you're a malicious actor, Stone said in the presentation, you "only have to convince one company to include your app, rather than thousands of users."
Originally published Nov. 15, 9:53 a.m. PT.
Update, 12:11 p.m.: Adds comment from Google.