Value your privacy? Avoid Google pre-installed apps

Users of Android devices that come with pre-installed apps are exposing their personal information to advertising firms and potential hackers, according to a new study.

In the study that evaluated Google’s Android ecosystem, researchers found that several smartphones that come with pre-installed apps, including popular brands such as Samsung and Huawei, expose users to malware and ad-tracking, often without their knowledge or consent.

The study dubbed “An Analysis of Pre-installed Software” by several scholars was funded by the US and Europe Union, among other partners.

“Regular Android users are, by and large, unaware of the presence of most of the software that comes pre-installed on their devices and their associated privacy risks,” reads the study.

“Users are clueless about the various data-sharing relationships and partnerships that exist between companies that have a hand in deciding what comes pre-installed on their phones.”

The study examined the software pre-installed in more than 1,700 device models from 214 vendors sold across the world, including Nokia, Sony, LG, Huawei and Samsung.

“The openness of Android OS has enabled a complex supply chain ecosystem formed by different stakeholders, be it manufacturers, Mobile Network Operators (MNOs), affiliated developers, and distributors,” explains the study.

All these players are free to add their apps to Android that comes pre-installed with the phone. However, poor software engineering practices introduce weaknesses that expose users to malware and back-doors while leaving their personal data up for grabs by ad tracking services.

“These actors have privileged access to system resources through their presence in pre-installed apps, but also as third-party libraries embedded in them,” the study shows.

“Potential partnerships and deals – made behind closed doors between stakeholders – may have made user data a commodity before users purchase their devices or decide to install software of their own.”

Several applications such as those that provide news apps and weather tracking do not undergo rigorous quality checks, other developers, on the Google Play Store and neither do they provide a ready update to fix vulnerabilities. “The infamous Triada trojan has also been recently found embedded in the firmware of several low-cost Android smartphones,” explains the report in part.

“Other cases of malware found pre-installed include Loki (spyware and adware) and SLocker (ransomware), which were spotted in the firmware of various high-end phones.”

Users from developing countries with lax data protection and privacy laws are at even greater risk, with some pre-installed apps collecting users’ geographic location data. The apps also have access to users’ contacts and text messages, which are often later linked to advertisers.

President Uhuru Kenyatta last year signed the Data Protection Act 2019 into law, introducing new requirements for entities that handle and process personal digital information on their consumers. The Data Protection Act, 2019 that is modelled along European Union (EU’s) General Data Protection Regulations (GDPR) makes it illegal for entities to collect personal data from their users without obtaining “informed consent.” According to the Act, companies have to inform users of any personal data they are collecting, the purpose of the collection and the period the data will be stored.

Jail term

The law also gives users the right to decline to have their data collected or processed as well as demand to have false data corrected or deleted upon demand.

A person found guilty of interfering with the personal data of others or infringes on their right to privacy will be liable, on conviction, to a fine not exceeding Sh500,000 or to imprisonment for a term not exceeding two years, or to both.

However, with most pre-installed apps, users’ consent is negated since they have no choice but to accept Android’s terms of service, as well as the manufacturer’s one to activate the device.

“When booting them, three devices did not present privacy policy at all, only the Android terms of service,” explains the report.

“The rest rendered a privacy policy that only mentions that they collect data about the user, such as the International Mobile Equipment Identity (IMEI) for added value services.”

More than 50 international organisations have now written to Alphabet Inc, the parent company for Android’s developer Google, asking the tech giant to take action against the “exploitative pre-installed software.”

“These phones carry the “Google Play Protect” branding, but research shows that 91 per cent of pre-installed apps do not appear in Google Play – Google’s app store,” said the open letter.

Signatories to the open letter include Privacy International, Amnesty International, The Tor Project and Strathmore University’s Centre for Intellectual Property and Information Technology.

“These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model,” states the letter.

They want pre-installed apps to have update mechanisms through Google Play and without a user account.  

[email protected]