Published open letteraddressed to Alphabet CEO Sundar Pichai, in which over 50 organizations (including Privacy International and the American Civil Liberties Union) are asking Google to take action on bloatware and protect users from applications pre-installed on Android devices. We are talking about the so-called "redundant software" (aka "bullshit"), which is installed on the device in the load and is immediately available "out of the box".
The signatories of the letter explain that many bloatware applications cannot be deleted, and because of them, unscrupulous device and application manufacturers can collect user data (without the knowledge and consent of the users themselves, of course). Often, such applications can also have privileged permissions that allow them to bypass the Android defense mechanisms.
The authors of the message refer to a study conducted in 2018, which showed that the ecosystem of preinstalled applications on Android is in complete disarray. So, according to the study, 91% of all pre-installed applications are generally not available in the official Google Play catalog. That is, they do not pass the Google verification procedure, are not checked for excessive permissions, for known vulnerabilities and malicious functionality, cannot be updated using the Play Store mechanism, and so on.
Such applications pose the greatest threat to users of budget gadgets around the world, and the authors of the letter emphasize that "confidentiality cannot be a luxury offered only to those people who can afford an expensive phone."
Organizations are asking the Google chapter to introduce new standards for OEMs by tightening rules for applications that can be pre-installed on devices. So, it’s worth adding at least the following three rules:
- Users should be able to permanently remove applications from their devices. This should apply to any background services that continue to work, even if applications are disabled;
- pre-installed applications must undergo the same checks as applications in the Google Play Store, especially regarding user permissions;
- pre-installed applications should have an update mechanism, preferably through Google Play and without the need to create a separate account. Google should refuse device certification for privacy reasons if manufacturers or vendors try to exploit users in this way.
Privacy International representatives also created petition where end users can also support this campaign.
Interestingly, by pure chance, an open letter was published almost simultaneously with a message from IB company Malwarebytes. Experts warned of a malvari found in two applications preinstalled on budget Unimax (UMX) U686CL smartphones, which are offered to low-income Americans through a special government-sponsored Lifeline program (they cost only $ 35).
These Android devices are made in China and sold by Assurance Wireless, a mobile service provider in the Virgin Mobile group.
Paying attention to the complaints of users of these devices, the company purchased a smartphone UMX U686CL and carefully studied it. It quickly became clear that one of the device’s components, the Wireless Update application, contains Adups.
This malware was first noticed in 2016, when Kryptowire experts accidentally discovered that the FOTA (Firmware Over The Air) software update system, that is, the uninstallable com.adups.fota application developed by the Chinese company Shanghai Adups Technology Company, is dangerous users. The Kryptowire team found that Adups has the ability to send updates to users ’devices, bypassing both smartphone providers and the users themselves.
Now, Malwarebytes experts write that this component is currently used on UMX devices and is used to install applications without the user's knowledge. Moreover, by whom it is used, it remains unclear. So far, all the applications studied by the researchers turned out to be clean and did not contain malvari, but still they were added to the devices without permission and the knowledge of the owners.
Also, Malwarebytes experts discovered a suspicious code in the Settings application. According to the researchers, the application is infected with some kind of highly obfuscated malvari, presumably of Chinese origin. Apparently, this is the dropper of the famous advertising malware HiddenAds.
It is emphasized that both malicious applications cannot be removed. Although users can get rid of the Wireless Update application, because of this, the phone will stop updating and will miss critical security updates for its firmware.
It should be noted that experts do not have full confidence that it is Unimax that is responsible for the appearance of malware on devices. Perhaps the malware was added by third-party developers from the supply chain.