24/09/2020

An open letter to Alphabet’s CEO claims that cheaper Android phones are more likely to have malicious and unremovable apps.

If you own a smartphone, particularly one that runs Googles Android operating system, you have no doubt noticed it came with a bunch of pre-installed apps that you cant remove. Some of these are necessary for the device to function; others are not, and you may not want them but are stuck with them anyway. These are known as bloatware. Sometimes they arent just annoying they can compromise your privacy by tracking your activities, including, in one famous case, by logging your keystrokes and text messages. They are also a potential source of viruses and malware that compromise the security of your phone.
Thats why a group of over 50 privacy and human rights advocates recently sent an open letter to Alphabet CEO Sundar Pichai, calling on him to do more to defend Android users from malicious or flawed pre-installed apps.
Your phones manufacturer, vendor, and mobile carrier decide which apps come pre-installed. Thats why malicious bloatware is less of a problem for iPhones: because Apple alone controls what comes pre-installed on its devices. Android is the opposite: Its an open source platform that is available to device manufacturers and vendors all over the world ranging from massive companies like Samsung to lesser-known brands like Wileyfox and Amgoo.
And thats how bloatware can get out of control. Some of these companies are reputable and carefully vet the security of their devices and pre-installed apps, while others may intentionally or not pre-install malware on their devices.
This malware can take several forms, including backdoors, which give a remote user access to and control over a device and click fraud apps, which force a device to go to a website with pay-per-click ads, creating false views that the website is then paid for by the ad company. Because the app runs in the background, a phones owner typically has no idea its going to all these websites and using their data until the surprise bill comes.
Pre-installed app vulnerabilities and exploits are a known issue; Googles own 2018 security report noted that bad actors have increasingly used pre-installed apps to infect devices. This is because these apps are able to access parts of phones without needing the users permission to perform functions, as is the case for apps that are installed through the app store, and they are far more difficult (if not impossible) to remove entirely from a device.
While iPhones are not free from malware, they are more secure than Android devices. They are also more expensive than some Android phones. New iPhones range from $449 (iPhone 8, released in September 2017) to $1,449 (a fully-loaded iPhone 11 Pro, which is Apples newest model), with discounts for trade-ins. Verizon Wireless, on the other hand, offers Android smartphones for as little as $99 for an Alcatel AVALON V with a $99 credit that makes the phone essentially free.
This means that lower-income people are more likely to own Android phones. For instance, India, considered lower middle income (per capita annual income between $996 and $3,895) by the World Bank, is Androids biggest market, while only 1 to 2 percent of Indias smartphones run Apples iOS. The downside of lower-priced devices is that their manufacturers sometimes cut corners to produce a cheaper phone, or theyre only able to keep prices down through deals with app makers to pre-install their products on their devices in the first place. That means lower-income people, both in the US and the rest of the world, are more exposed to privacy violations than wealthier people who can afford more expensive and more secure phones.
When dealing with low-cost devices, we see quite a number of poor security practices, Christopher Weatherhead, technology lead for Privacy International, told Recode. We believe that privacy shouldnt be a luxury that only those who can afford the most expensive devices (like iPhones) can attain.
For one Privacy International staffer, this experience is personal: Back in 2018, they were traveling in the Philippines when they purchased a MyPhone brand myA2 smartphone running Androids operating system. (Privacy International said the phone cost $19; it currently retails for about $30.) MyPhone, a Philippine phone vendor, is listed as a Play Protect Android Certified partner, which means its devices must adhere to Androids security standards and offer consumers some level of protection and oversight. Yet the phone came with problematic MyPhone-specific apps pre-installed, including one called MyPhoneRegistration.
MyPhoneRegistration allows a phones owner to register their device, but by the time Privacy International obtained the phone, the server that was meant to receive that data was no longer running. With nothing to connect to, the phone was stuck in an endless loop, sending out sensitive personal information every five minutes in a futile quest to fulfill the apps mission. There was no way to update the app to stop it or delete the app from the phone entirely. And because MyPhone did not encrypt the data which included the owners name, age, gender, and location that it repeatedly sent out, Weatherhead says, anyone on the same network can read that information (in on coffee shops or airports free wifi).
MyPhone confirmed to Recode that its pre-2018 myA2 phones were no longer able to access or update pre-installed apps, which means the security vulnerability remains unfixed, but said, we remain committed to provide a secure platform to our new and upcoming devices by complying to the latest Google requirements to keep the devices secure. The company added that it now has a privacy policy.
This issue isnt limited to developing nations. The day before the open letter was released last week, internet security company Malwarebytes revealed that it found two types of malware pre-installed on Assurance Wireless phones, which are given to low-income Americans for free as part of the Federal Communications Commissions Lifeline Assistance program. (In a statement, Unimax Communications, which manufacturers the phone in question, told Recode that while it did not find any malware, it did find a potential vulnerability in one of its pre-installed apps. No customer data was compromised and its latest security update fixes the issue, Unimax said.)
Privacy Internationals letter asks Google to make three changes to how pre-installed apps are managed and run on Play Protect certified devices: allow users to uninstall apps; hold them up to the same scrutiny as apps available through the Google Play Store; and require pre-installed apps to have an update mechanism.
For its part, Google told Recode that it has stepped up its security measures in recent years, including working with device manufacturers to scan pre-installed apps for harmful software before they go to market, and that it holds pre-installed apps to similar standards as Google Play Store apps.
The American Civil Liberties Union, Amnesty International, the Center for Digital Democracy, and the Electronic Frontier Foundation, among 50 others, signed Privacy Internationals open letter.
Google dominates the mobile phone OS market with its Android system, Jeffrey Chester, executive director of the Center for Digital Democracy, told Recode. This call organized by PI and supported by leading groups for Google to act responsibly when it comes to app privacy is a much needed wake up call for that company.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.