An Analysis of Pre-installed Android Software
Citation: Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez An Analysis of Pre-installed Android Software.
First large-scale study of pre-installed software on Android devices. RQs:
- What is the ecosystem of pre-installed apps, including all actors in the supply chain?
- What are the relationships between vendors and other stake- holders (e.g., MNOs and third-party services)?
- Do pre-installed apps collect private and personally- identifiable information (PII)? If so, with whom do they share it?
- Are there any harmful or other potentially dangerous apps among pre-installed software?
With FirmwareScanner app obtained the firmware from 2,748 users from 130 countries usings 1,742 device models from 214 vendors. Dataset contains 424,584 unique firmware files, but only 9% of the collected APKs were found in Google Play. From 20k Lumen app users from 144 countries obtained traffic flows associated with 139,665 unique apps, including pre-installed ones.
Analysis covers 1,200 unique developers associated with major manufacturers, vendors, MNOs, and Internet service companies, also uncover a vast landscape of third-party libraries (11,665 unique TPLs), many of which mainly provide data-driven services such as advertisement, analytics, and social networking.
Extracted and analyzed an extensive set of custom permissions (4,845) declared by hardware vendors, MNOs, third-party services, security firms, industry alliances, chipset manufacturers, and Internet browsers. Such permissions may potentially expose data and features to over-the- top apps and could be used to access privileged system resources and sensitive data in a way that circumvents the Android permission model. A manual inspection reveals a complex supply chain that involves different stakeholders and potential commercial partnerships between them.
Carried out a behavioral analysis of nearly 50% of the apps in our dataset using both static and dynamic analysis tools; results reveal that a significant part of the pre-installed software exhibit potentially harmful or unwanted behavior.
Many of these findings may be illegal under GDPR, COPPA or other privacy and consumer protection legislation such as the upcoming CCPA.
Recommend transparency for both app certificates (many are self-signed) and accessible documentation and consent forms.