Recently an analysis of pre-installed Android software shows that many Android-based third-party operating system vendor abuse of the platform to release built-in data collection services products. The analysis was conducted by the IMDEA Networks Institute, Universidad Carlos III de Madrid, Stony Brook University and ICSI, involving more than 200 device manufacturers, more than 1,700 devices and 82,501 pre-installed applications.
The study concluded that, whether through the deliberate misuse or inappropriate practices for smartphones to create their own Android-based operating system vendors are inclined to allow third parties to access user data in their software. “This situation has become a peril to users’ privacy and even security due to an abuse of privilege, such as in the case of pre-installed malware, or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors.”
The study found that smartphone manufacturers, software developers, advertisers and other “numerical actors” are involved, and form a secret partnership. Google has responded to the results of this research and claim that:
“We appreciate the work of the researchers and have been in contact with them regarding concerns we have about their methodology. Modern smartphones include system software designed by their manufacturers to ensure their devices run properly and meet user expectations. The researchers’ methodology is unable to differentiate pre-installed system software — such as diallers, app stores and diagnostic tools–from malicious software that has accessed the device at a later time, making it difficult to draw clear conclusions. We work with our OEM partners to help them ensure the quality and security of all apps they decide to pre-install on devices, and provide tools and infrastructure to our partners to help them scan their software for behavior that violates our standards for privacy and security. We also provide our partners with clear policies regarding the safety of pre-installed apps, and regularly give them information about potentially dangerous pre-loads we’ve identified.”