Security researchers from Google’s Project Zero team recently uncovered pre-installed apps in Android devices that either allowed remote attackers to carry out remote code execution, could disable Google Play Protect in devices, or could collect information on users’ web activities.
At the Black Hat cybersecurity conference in Las Vegas, Maddie Stone, a security researcher on Project Zero and who previously served as Senior Reverse Engineer & Tech Lead on Android Security team, revealed that her team discovered three instances of Android malware being pre-installed in budget Android phones in the recent past.
One such pre-installed app was capable of turning off Google Play Protect, the default mobile security app in Android devices, thereby leaving devices vulnerable to all forms of cyber attacks or remote surveillance. The Project Zero team also found an app pre-installed on Android phones that gathered logs of users’ web activities.
In another instance, the researchers observed that as many as 225 Android device manufacturers (OEMs) pre-installed apps in their devices that allowed hackers to carry out remote code execution and take control over devices. According to Stone, even though vulnerabilities in such apps were fixed quickly, they affected over 6 million Android devices.
Pre-installed apps pose a greater threat to Android users
What makes vulnerable and bug-ridden pre-installed apps more harmful for Android device users is that since they are pre-approved by device makers, they are not monitored or flagged by antivirus software even if they exhibit malware-like capabilities.
Since they are pre-approved apps, they also enjoy higher privileges compared to other apps and in many cases, device owners cannot uninstall or remove them on their own. In such cases, only manufacturers can remove vulnerable apps by issuing software updates.
If malware or security issues can make its way as a preinstalled app, then the damage it can do is greater, and that’s why we need so much reviewing, auditing and analysis,” Stone told CNET.
“If you are able to infiltrate the supply chain out of the box, then you already have as many infected users as how many devices they sell. That’s why it’s a scarier prospect and I really hope more researchers join us in vetting these processes,” she added.
Earlier this year, secueeity researchers at Quick Heal revealed that a majority of easily-available and free-to-use antivirus applications cannot detect or defend against a majority of Android malware out in the wild.
Out of the 250 Android antivirus apps tested by Quick Heal, less than 1 in 10 of the apps defended against all 2,000 malicious apps, while over two-thirds failed to reach a block rate of even 30%.
“This goes on to explain that while there are endless Android security apps available in the market, only a small proportion of these can actually provide effective protection against malware attacks. Thus, before consumers can install a security app on their device, it is important to validate its genuineness and level of effectiveness,” the firm noted.