Home News Preinstalled Android Apps Found to Contain Multiple Vulnerabilities

Preinstalled Android Apps Found to Contain Multiple Vulnerabilities

Nov 19, 2019

You may have purchased an Android device before and noticed that it comes with a ton of preinstalled apps on it that really aren’t very useful. Preinstalled apps on Android are a huge annoyance since they are often hard to get rid of and usually aren’t updated regularly. Well, researchers have found that these preinstalled Android apps are more than annoying, as they are a huge security risk. These apps were found to have multiple vulnerabilities associated with them, which puts your information at risk.

Researchers Find Preinstalled Android Apps Full of Vulnerabilities

It was researchers from Kryptowire that had been looking at Android apps that were preinstalled on devices. The researchers found many of them contain vulnerabilities. The company actually built a specific tool that was able to scan multiple Android devices at once. This tool would then be able to find any security holes within those devices.

This particular study actually was funded by Homeland Security and it looked at Android smartphones from 29 different companies. While we expect there to be security vulnerabilities in some of the more questionable companies out there, we didn’t think that some very well-known vendors would be on this list.

Some of the Android devices that were checked and had vulnerabilities were from Sony, Samsung, and Asus. That’s one of the most surprising things about this study. These companies are supposed to be known for building high-quality products. The vulnerabilities existed in many form. Some preinstalled apps having the ability to install other apps onto the device.

Other vulnerabilities included tools that could record audio secretly and even apps that could change your system settings without you knowing. These vulnerabilities are all a little different and are triggered differently. The main takeaway is that these vulnerabilities pose huge risks to the Android user.

Preinstalled Apps on Android Contain Vulnerabilities of All Kinds

What’s interesting is that some of the vulnerabilities in the preinstalled apps only could be triggered by the other preinstalled apps on the Android device. That does limit some of the damage that these apps could do. Some of the other vulnerabilities were even more risky, according to the researchers.

Some of these other vulnerabilities actually could be triggered by any app you downloaded and installed on the Android device. These particular vulnerabilities could be triggered by apps you install months from now. There’s no real way to know which apps would set off the vulnerabilities.

More than 146 vulnerabilities were found throughout the study of these preinstalled Android apps. That number is pretty significant when you think about it. The worst part about this study is that Google was already aware that security risks and vulnerabilities like this existed. Google even started a program which was called Built Test Suite back in 2018. All of the OEM vendors had to pass this program in order to be released onto the market.

Build Test Suite would actually scan the firmware of the device and see if any security vulnerabilities existed or were hidden within the preinstalled apps. From there, those preinstalled apps would be labeled as Potentially Harmful Applications if they were flagged in this system.

The OEM builder would be notified and the apps would then need to be removed and the device retested until it passed. In the first year of Build Test Suite, over 242 Android devices were flagged and found to contain Potentially Harmful Apps. These devices were then prevented from being released to users until the issues were fixed.

Google Uses Automated System to Catch Preinstalled App Vulnerabilities But It’s Not Enough

While we are happy that Google does use an automated system to help catch the vulnerabilities found in preinstalled Android apps, we know it’s simply not enough. One system cannot catch all of these apps and vulnerabilities, especially an automated system. When it comes to lower-end Android devices, there’s definitely more of a risk.

With lower-end devices, fixes and patches usually don’t happen quickly, if at all. Long-term fixes and patches on lower-end devices are rare, so it makes those devices more at risk for these preinstalled app vulnerabilities. We think that Google should be coming at this from multiple angles, using both automated systems and human flagging techniques.

In the comments below, we want to know if you think that the Build Test Suite is enough or if you think Google needs to do more to prevent the preinstalled app vulnerabilities. Do you think that lower-end Android devices need to have the same standards as the more expensive Android devices? Are you someone that is concerned with all of the vulnerabilities that seem to always exist on Android? What else do you think Google could or should do to help prevent these situations?