Android Bloatware's Dark Side Emerges

Some Android phones are more vulnerable to attacks than others, due to pre-installed add-on tools and skins, security researchers say.

Mathew J. Schwartz, Contributor

December 1, 2011

5 Min Read

10 Worst Android Apps

10 Worst Android Apps

10 Worst Android Apps (click image for larger view and for slideshow)

Researchers have found that some Android smartphones are more vulnerable to attacks than others, thanks to add-on software and skins that get installed by handset makers before they ship their smartphones to subscribers.

"Some of these preloaded applications, or features, are designed to make the smartphones more user-friendly, such as features that notify you of missed calls or text messages," said Xuxian Jiang, an assistant professor of computer science at North Carolina State University, in a statement. "The problem is that these pre-loaded apps are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third parties direct access to personal information or other phone features."

Jiang is the co-author of a research paper, Systematic Detection of Capability Leaks in Stock Android Smartphones--due to be presented at the Network and Distributed System Security Symposium in San Diego in February 2012--which details how eight popular Android smartphones handle permissions.

[ Wireless network diagnostic software Carrier IQ is an insane breach of enterprise trust, says IT leader Jonathan Feldman. See what he says must change, in Carrier IQ: Mobile App Crap Must Stop. ]

Why study Android permissions? Because they're a cornerstone of Android security and user privacy. For example, if an application requests permission to use a user's location--perhaps as part of an advertiser-backed effort to track their online behavior--the smartphone owner can deny that request. Likewise, permissions serve as a last line of defense against malicious applications that may end up on their phones. For example, if an application attempts to access both the Internet and a user's address book, but shouldn't need to do so, it could indicate that the application in question is attempting to steal data and phone home.

To test the permission-enforcement security model on Android smartphones, the researchers built a tool, dubbed Woodpecker, that subjects images of Android operating systems to permission tests. As a baseline, they first studied the Google Nexus One and Nexus S smartphones--which come with a vanilla version of Android installed--as well as the Motorola Droid, which is "close to the reference Android design," they said.

Their findings: "Google's reference implementations and the Motorola Droid were basically clean," said Jiang. "No real problems there."

Next, the researchers compared those vanilla versions of Android with the images of Android operating systems that came installed on the Motorola Droid X; Samsung Epic 4G; and HTC Legend, EVO 4G, and Wildfire S. Interestingly, they found that of the 13 permissions studied, the devices leaked, on average, eight of those permissions, and the EVO 4G, which scored the worst, leaked 10. In other words, the handset makers had introduced data leakage vulnerabilities onto their smartphones via the custom software and skins that they'd added. (The researchers said they notified the manufacturers earlier this year about the vulnerabilities they had discovered.)

Why are data leaks a threat? "By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones--all without asking for any permission," said the researchers.

This is far from the first reported case of device makers introducing Android vulnerabilities via their skins. Just in October, for example, HTC pushed an emergency patch after a researcher discovered a data leakage vulnerability in HTC Sense UI (HTC's custom Android skin) that could be exploited by an attacker to steal data from the handset, including location information, phone numbers, and email addresses.

The HTC vulnerability--discovered by security researcher Trevor Eckhart--stemmed from HTC having added its own application to collect handset data. But because of the way the application had been coded, any application with Internet access would have been able to access the HTC logging application, and thus steal all of the data it amassed.

The N.C. State researchers said that, based on their results, data-leakage vulnerabilities are likely to be present not just in manufacturers' versions of Android, but also many third-party applications. "Our study only examines capability leaks among pre-loaded apps in the phone firmware. We also expect the leaks could occur among third-party user apps," they wrote. "Note that phone images are relatively homogeneous and static with usually a somewhat infrequent update schedule. Capability leaks, especially explicit ones, on phone images are of great interest to malicious third parties."

Given the threat posed by customized Android skins, are they an essential feature, or merely bloatware? Regardless, smartphone buyers are typically stuck with them. Notably, while PC manufacturers always include extra software on their devices, it's easy for businesses to excise, by creating a new client build without the add-ons. But on smartphones, such software is typically integrated into the Android operating system in a way that makes it impossible to delete, except perhaps for more advanced users who also don't mind rooting their phones.

Accordingly, what should users of the five phones that contain known vulnerabilities do? "If you have one of these phones, your best bet to protect yourself moving forward is to make sure you accept security updates from your vendor," said Jiang. "And avoid installing any apps that you don't trust completely."

Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights