If you own a smartphone, particularly one that runs Google’s Android operating system, you have no doubt noticed it came with a bunch of pre-installed apps that you can’t remove. Some of these are necessary for the device to function; others are not, and you may not want them but are stuck with them anyway. These are known as bloatware. Sometimes they aren’t just annoying — they can compromise your privacy by tracking your activities, including, in one famous case, by logging your keystrokes and text messages. They are also a potential source of viruses and malware that compromise the security of your phone.
That’s why a group of more than 50 privacy and human rights advocates recently sent an open letter to Alphabet CEO Sundar Pichai, calling on him to do more to defend Android users from malicious or flawed pre-installed apps.
Your phone’s manufacturer, vendor, and mobile carrier decide which apps come pre-installed. That’s why malicious bloatware is less of a problem for iPhones: because Apple alone controls what comes pre-installed on its devices. Android is the opposite: It’s an open source platform that is available to device manufacturers and vendors all over the world — ranging from massive companies like Samsung to lesser-known brands like Wileyfox and Amgoo.
And that’s how bloatware can get out of control. Some of these companies are reputable and carefully vet the security of their devices and pre-installed apps, while others may — intentionally or not — pre-install malware on their devices.
This malware can take several forms, including backdoors, which give a remote user access to and control over a device, and click fraud apps, which force a device to go to a website with pay-per-click ads, creating false views that the website is then paid for by the ad company. Because the app runs in the background, a phone’s owner typically has no idea it’s going to all these websites and using their data until the surprise bill comes.
Pre-installed app vulnerabilities and exploits are a known issue; Google’s own 2018 security report noted that bad actors have increasingly used pre-installed apps to infect devices. This is because these apps are able to access parts of phones without needing the user’s permission to perform functions, as is the case for apps that are installed through the app store, and they are far more difficult (if not impossible) to remove entirely from a device.
While iPhones are not free from malware, they are more secure than Android devices. They are also more expensive than some Android phones. New iPhones range from $449 (iPhone 8, released in September 2017) to $1,449 (a fully loaded iPhone 11 Pro, which is Apple’s newest model), with discounts for trade-ins. Verizon Wireless, on the other hand, offers Android smartphones for as little as $99 for an Alcatel Avalon V — with a $99 credit that makes the phone essentially free.
This means that lower-income people are more likely to own Android phones. For instance, India, considered “lower middle income” (per capita annual income between $996 and $3,895) by the World Bank, is Android’s biggest market, while only 1 to 2 percent of India’s smartphones run Apple’s iOS. The downside of lower-priced devices is that their manufacturers sometimes cut corners to produce a cheaper phone, or they’re only able to keep prices down through deals with app makers to pre-install their products on their devices in the first place. That means lower-income people, in both the US and the rest of the world, are more exposed to privacy violations than wealthier people who can afford more expensive — and more secure — phones.
“When dealing with low-cost devices, we see quite a number of poor security practices,” Christopher Weatherhead, technology lead for Privacy International, told Recode. “We believe that privacy shouldn’t be a luxury that only those who can afford the most expensive devices (like iPhones) can attain.”
For one Privacy International staffer, this experience is personal: In 2018, they were traveling in the Philippines when they purchased a MyPhone-brand myA2 smartphone running Android’s operating system. (Privacy International said the phone cost $19; it currently retails for about $30.) MyPhone, a Philippine phone vendor, is listed as a Play Protect Android Certified partner, which means its devices must adhere to Android’s security standards and offer consumers some level of protection and oversight. Yet the phone came with problematic MyPhone-specific apps pre-installed, including one called MyPhoneRegistration.
MyPhoneRegistration allows a phone’s owner to register their device, but by the time Privacy International obtained the phone, the server that was meant to receive that data was no longer running. With nothing to connect to, the phone was stuck in an endless loop, sending out sensitive personal information every five minutes in a futile quest to fulfill the app’s mission. There was no way to update the app to stop it or delete the app from the phone entirely. And because MyPhone did not encrypt the data — which included the owner’s name, age, gender, and location — that it repeatedly sent out, Weatherhead says, “anyone on the same network can read that information (in on coffee shops or airports’ free wifi).”
This issue isn’t limited to developing nations. The day before the open letter was released last week, internet security company Malwarebytes revealed that it found two types of malware pre-installed on Assurance Wireless phones, which are given to low-income Americans as part of the Federal Communications Commission’s Lifeline Assistance program. (In a statement, Unimax Communications, which manufacturers the phone in question, told Recode that while it did not find any malware, it did find a “potential vulnerability” in one of its pre-installed apps. No customer data was compromised and its latest security update fixes the issue, Unimax said.)
Privacy International’s letter asks Google to make three changes to how pre-installed apps are managed and run on Play Protect certified devices: allow users to uninstall apps; hold them up to the same scrutiny as apps available through the Google Play Store; and require pre-installed apps to have an update mechanism.
For its part, Google told Recode that it has stepped up its security measures in recent years, including working with device manufacturers to scan pre-installed apps for harmful software before they go to market, and that it holds pre-installed apps to “similar standards” as Google Play Store apps.
The American Civil Liberties Union, Amnesty International, the Center for Digital Democracy, and the Electronic Frontier Foundation, among 50 others, signed Privacy International’s open letter.
“Google dominates the mobile phone OS market with its Android system,” Jeffrey Chester, executive director of the Center for Digital Democracy, told Recode. “This call organized by PI and supported by leading groups for Google to act responsibly when it comes to app privacy is a much needed wake up call for that company.”
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.