2020 IEEE Symposium on Security and Privacy

An Analysis of Pre-installed Android Software

Julien Gamba∗† , Mohammed Rashed† , Abbas Razaghpanah‡ , Juan Tapiador † and Narseo Vallina-Rodriguez∗§
∗ IMDEA Networks Institute, † Universidad Carlos III de Madrid, ‡ Stony Brook University, § ICSI

Abstract end up packaged together in the firmware of a device is not

The open-source nature of the Android OS makes it possible transparent, and various isolated cases reported over the last
for manufacturers to ship custom versions of the OS along with few years suggest that it lacks end-to-end control mechanisms
a set of pre-installed apps, often for product differentiation. to guarantee that shipped firmware is free from vulnerabili-
Some device vendors have recently come under scrutiny ties [24], [25] or potentially malicious and unwanted apps. For
for potentially invasive private data collection practices and example, at Black Hat USA 2017, Johnson et al. [82], [47]
other potentially harmful or unwanted behavior of the pre- gave details of a powerful backdoor present in the firmware
installed apps on their devices. Yet, the landscape of pre- of several models of Android smartphones, including the
installed software in Android has largely remained unexplored, popular BLU R1 HD. In response to this disclosure, Amazon
particularly in terms of the security and privacy implications of removed Blu products from their Prime Exclusive line-up [2].
such customizations. In this paper, we present the first large- A company named Shanghai Adups Technology Co. Ltd. was
scale study of pre-installed software on Android devices from pinpointed as responsible for this incident. The same report
more than 200 vendors. Our work relies on a large dataset also discussed the case of how vulnerable core system services
of real-world Android firmware acquired worldwide using (e.g., the widely deployed MTKLogger component developed
crowd-sourcing methods. This allows us to answer questions by the chipset manufacturer MediaTek) could be abused by
related to the stakeholders involved in the supply chain, from co-located apps. The infamous Triada trojan has also been
device manufacturers and mobile network operators to third- recently found embedded in the firmware of several low-cost
party organizations like advertising and tracking services, and Android smartphones [77], [66]. Other cases of malware found
social network platforms. Our study allows us to also uncover pre-installed include Loki (spyware and adware) and Slocker
relationships between these actors, which seem to revolve (ransomware), which were spotted in the firmware of various
primarily around advertising and data-driven services. Overall, high-end phones [6].
the supply chain around Android’s open source model lacks Android handsets also play a key role in the mass-scale
transparency and has facilitated potentially harmful behaviors data collection practices followed by many actors in the dig-
and backdoored access to sensitive data and services with- ital economy, including advertising and tracking companies.
out user consent or awareness. We conclude the paper with OnePlus has been under suspicion of collecting personally
recommendations to improve transparency, attribution, and identifiable information (PII) from users of its smartphones
accountability in the Android ecosystem. through exceedingly detailed analytics [55], [54], and also de-
ploying the capability to remotely root the phone [53], [52]. In
I. I NTRODUCTION
July 2018 the New York Times revealed the existence of secret
The openness of the Android source code makes it possible agreements between Facebook and device manufacturers such
for any manufacturer to ship a custom version of the OS along as Samsung [32] to collect private data from users without their
with proprietary pre-installed apps on the system partition. knowledge. This is currently under investigation by the US
Most handset vendors take this opportunity to add value to Federal authorities [33]. Additionally, users from developing
their products as a market differentiator, typically through countries with lax data protection and privacy laws may be at
partnerships with Mobile Network Operators (MNOs), online an even greater risk. The Wall Street Journal has exposed the
social networks, and content providers. Google does not forbid presence of a pre-installed app that sends users’ geographical
this behavior, and it has developed its Android Compatibility location as well as device identifiers to GMobi, a mobile-
Program [8] to set the requirements that the modified OS must advertising agency that engages in ad-fraud activities [14],
fulfill in order to remain compatible with standard Android [67]. Recently, the European Commission publicly expressed
apps, regardless of the modifications introduced.Devices made concern about Chinese manufacturers like Huawei, alleging
by vendors that are part of the Android Certified Partners that they were required to cooperate with national intelligence
program [5] come pre-loaded with Google’s suite of apps services by installing backdoors on their devices [30].
(e.g., the Play Store and Youtube). Google does not provide
details about the certification processes. Companies that want Research Goals and Findings
to include the Google Play service without the certification To the best of our knowledge, no research study has so
can outsource the design of the product to a certified Original far systematically studied the vast ecosystem of pre-installed
Design Manufacturer (ODM) [7]. Android software and the privacy and security concerns asso-
Certified or not, not all pre-installed software is deemed as ciated with them. This ecosystem has remained largely unex-
wanted by users, and the term “bloatware” is often applied plored due to the inherent difficulty to access such software
to such software. The process of how a particular set of apps at scale and across vendors. This state of affairs makes such

© 2020, Julien Gamba. Under license to IEEE. 1039

DOI 10.1109/SP40000.2020.00013
Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
an study even more relevant, since i) these apps – typically app ecosystem as a whole [78], [84], [85], we find that
unavailable on app stores – have mostly escaped the scrutiny of it is also quite prevalent in pre-installed apps. We have
researchers and regulators; and ii) regular users are unaware identified instances of user tracking activities by pre-
of their presence on the device, which could imply lack of installed Android software – and embedded third-party
consent in data collection and other activities. libraries – which range from collecting the usual set of PII
In this paper, we seek to shed light on the presence and and geolocation data to more invasive practices that include
behavior of pre-installed software across Android devices. In personal email and phone call metadata, contacts, and a
particular, we aim to answer the questions below: variety of behavioral and usage statistics in some cases.
• What is the ecosystem of pre-installed apps, including all We also found a few isolated malware samples belonging to
actors in the supply chain? known families, according to VirusTotal, with prevalence in
• What are the relationships between vendors and other stake- the last few years (e.g., Xynyin, SnowFox, Rootnik, Triada
holders (e.g., MNOs and third-party services)? and Ztorg), and generic trojans displaying a standard set
• Do pre-installed apps collect private and personally- of malicious behaviors (e.g., silent app promotion, SMS
identifiable information (PII)? If so, with whom do they fraud, ad fraud, and URL click fraud).
share it? All in all, our work reveals complex relationships between
• Are there any harmful or other potentially dangerous apps actors in the Android ecosystem, in which user data seems
among pre-installed software? to be a major commodity. We uncover a myriad of actors
involved in the development of mobile software, as well as
To address the points described above, we developed a
poor software engineering practices and lack of transparency in
research agenda revolving around four main items:
the supply chain that unnecessarily increase users’ security and
1) We collected the firmware and traffic information from privacy risks. We conclude this paper with various recommen-
real-world devices using crowd-sourcing methods (§II). We dations to palliate this state of affairs, including transparency
obtained the firmware from 2,748 users spanning 1,742 models to improve attribution and accountability, and clearer
device models from 214 vendors. Our user base covers mechanisms to obtain informed consent. Given the scale of
130 countries from the main Android markets. Our dataset the ecosystem and the need to perform manual inspections,
contains 424,584 unique firmware files, but only 9% of the we will gradually make our dataset available to the research
collected APKs were found in Google Play. We comple- community and regulators to boost investigations.
ment this dataset with traffic flows associated with 139,665
unique apps, including pre-installed ones, provided by over II. DATA C OLLECTION
20.4K users of the Lumen app [86] from 144 countries. To Obtaining pre-installed apps and other software artifacts
the best of our knowledge, this is the largest dataset of (e.g., certificates installed in the system root store) at scale is
real-world Android firmware analyzed so far. challenging. As purchasing all the mobile handset models (and
2) We performed an investigation of the ecosystem of pre- their many variations) available in the market is unfeasible,
installed Android apps and the actors involved (§III) by we decided to crowdsource the collection of pre-installed
analyzing the Android manifest files of the app packages, software using a purpose-built app: Firmware Scanner [34].
their certificates, and the Third-Party Libraries (TPLs) they Using Firmware Scanner, we obtained pre-installed software
use. Our analysis covers 1,200 unique developers associ- from 1,742 device models. We also decided to use Lumen,
ated with major manufacturers, vendors, MNOs, and Inter- an app that aims to promote mobile transparency and enable
net service companies. We also uncover a vast landscape of user control over their mobile traffic [86], [49] to obtain
third-party libraries (11,665 unique TPLs), many of which anonymized network flow metadata from Lumen’s real users.
mainly provide data-driven services such as advertisement, This allows us to correlate the information we extract from
analytics, and social networking. static analysis, for a subset of mobile apps, with realistic
3) We extracted and analyzed an extensive set of custom network traffic generated by mobile users in the wild and
permissions (4,845) declared by hardware vendors, MNOs, captured in user-space. In the remainder of this section, we
third-party services, security firms, industry alliances, explain the methods implemented by each app and present
chipset manufacturers, and Internet browsers. Such permis- our datasets. We discuss the ethical implications of our data
sions may potentially expose data and features to over-the- collection in Section II-C.
top apps and could be used to access privileged system
resources and sensitive data in a way that circumvents the A. Firmware Scanner
Android permission model. A manual inspection reveals a Publicly available on Google Play [34], Firmware Scanner
complex supply chain that involves different stakeholders is a purpose-built Android app that looks for and extracts
and potential commercial partnerships between them (§IV). pre-installed apps and DEX files in the app and priv-app
4) We carried out a behavioral analysis of nearly 50% of the folders located in /system/, libraries in the lib and lib64
apps in our dataset using both static and dynamic analysis folders in /system/, any files in the /system/vendor/
tools (§V). Our results reveal that a significant part of folder if that directory exists, and root certificates located
the pre-installed software exhibit potentially harmful or in /system/etc/security/cacerts/. We can distin-
unwanted behavior. While it is known that personal data guish pre-installed apps from user-installed ones as the latter
collection and user tracking is pervasive in the Android are stored in /data/app/. In order to reduce the scanning

1040

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 Major versions
Number of files (log scale) 4
103 5
6
7
102 8
9

101
Files types
Apps
100 Libs
Certs
acer

allview
advan

allwinner
alps
amlogic
archos
asus

blackview
blu

honor
htc
huawei
leeco

tecno
blackberry

bq
coolpad
doogee
gionee
google

lenovo
lge
meizu
metropcs
micromax
motorola
nokia
oneplus
oppo
positivo
rca
samsung
smartfren
softwinners
sony
tcl

verizon
vivo

wiko
xiaomi
vodafone

zte
Vendor
Figure 1: Number of files per vendor. We do not display the vendors for which we have less than 3 devices.

and upload time, Firmware Scanner first computes the MD5 avoid introducing any bias in our results, we exclude 321
hashes of the relevant files (e.g., apps, libraries, and root potentially rooted handsets from our study.4
certificates) and then sends the list of these hashes to our B. Lumen
server. Only those missing in our dataset are uploaded over
Lumen is an Android app available on Google Play that
a Wi-Fi connection to avoid affecting the user’s data plan.
aims to promote mobile transparency and enable user control
Dataset: Thanks to 2,748 users who have organically installed
over their personal data and traffic. It leverages the Android
Firmware Scanner, we obtained firmware versions for 1,742
VPN permission to intercept and analyze all Android traffic in
unique device models1 branded by 214 vendors2 as summa-
user-space and in-situ, even if encrypted, without needing root
rized in Table I. Our dataset contains 424,584 unique files
permissions. By running locally on the user’s device, Lumen
(based on their MD5 hash) as shown in Figure 1 for selected
is able to correlate traffic flows with system-level information
vendors. For each device we plot three dots, one for each type
and app activity. Lumen’s architecture is publicly available and
of file, while the shape indicates the major Android version
described in [86]. Lumen allows us to accurately determine
that the device is running.3 The number of pre-installed files
which app is responsible for an observed PII leak from the
varies greatly from one vendor to another. Although it is not
vantage point of the user and as triggered by real user and
surprising to see a large amount of native libraries due to
device stimuli in the wild. Since all the analysis occurs on the
hardware differences, some vendors embed hundreds of extra
device, only processed traffic metadata is exfiltrated from the
apps (i.e., “.apk” files) compared to other manufacturers
device.
running the same Android version. For the rest of our study, we Dataset: For this study, we use anonymized traffic logs
focus on 82,501 Android apps present in the dataset, leaving provided by over 20.4K users from 144 countries (according
the analysis of root certificates and libraries for future work. to Google Play Store statistics) coming from Android phones
Our user-base is geographically distributed across 130 coun- manufactured by 291 vendors. This includes 34,553,193 traffic
tries, yet 35% of our users are located in Europe, 29% in flows from 139,665 unique apps (298,412 unique package
America (North and South), and 24% in Asia. Further, up to name and version combinations). However, as Lumen does not
25% and 20% of the total number of devices in our dataset collect app fingerprints or hashes of files, to find the overlap
belong to Samsung and Huawei ones, respectively. This is co- between the Lumen dataset and the pre-installed apps, we
herent with market statistics available online [35], [10]. While match records sharing the same package name, app version,
both manufacturers are Google-certified vendors, our dataset and device vendor as the ones in the pre-installed apps dataset.
also contains low-end Android devices from manufacturers While this method does not guarantee that the overlapping
targeting markets such as Thailand, Indonesia, and India – apps are exactly the same, it is safe to assume that phones
many of these vendors are not Google-certified. Finally, to that are not rooted are not shipped with different apps under
the same package names and app versions. As a result, we have
1 We use the MD5 hash of the IMEI to uniquely identify a user, and the
1,055 unique pre-installed app/version/vendor combinations
build fingerprint reported by the vendor to uniquely identify a given device
model. Note that two devices with the same fingerprint may be customized present in both datasets.
and therefore, have different apps pre-installed. C. Ethical Concerns
2 We rely on the vendor string self-reported by the OS vendor, which could
be bogus. For instance, Alps rebrands as “iPhone” some of its models, which, Our study involves the collection of data from real users
according to information available online, are Android-based replicas of iOS. who organically installed Firmware Scanner or Lumen on
3 We found that 5,244 of the apps do not have any activity, service, or
receiver. These apps may potentially be used as providers of resources (e.g.,
their devices. Therefore, we follow the principles of informed
images, fonts) for other apps. consent [76] and we avoid the collection of any personal or
4 We consider that a given device is rooted according to three signals. First, sensitive data. We sought the approval of our institutional
when Firmware Scanner has finished the upload of pre-installed binaries, Ethics Board and Data Protection Officer (DPO) before start-
the app asks the user whether the handset is rooted according to their own
understanding (note that the user may choose not to answer the question). As ing the data collection. Both tools also provide extensive
a complement, we use the library RootBeer [63] to progammatically check if privacy policies in their Google Play profile. Below we discuss
a device is rooted or not. If any of these sources indicates that the device is details specific to each tool.
potentially rooted, we consider it as such. Finally, we discard devices where
there is evidence of custom ROMs having been installed (e.g., LineageOS). Firmware Scanner: The app collects some metadata about
We discuss the limitations of this method in Section VI. the device to attribute observations to manufacturers (e.g., its

1041

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 Certified Device Files Apps Libs DEX Root certs Files Apps
Vendor Country Users
partner Fingerprints (med.) (med.) (med.) (med.) (med.) (total) (total)
Samsung South Korea Yes 441 924 868 136 556 83 150 260,187 29,466
Huawei China Yes 343 716 1,084 68 766 96 146 150,405 12,401
LGE South Korea Yes 74 154 675 84 385 89 150 58,273 3,596
Alps Mobile China No 65 136 632 56 385 46 148 29,288 2,883
Motorola US/China Yes 50 110 801 127 454 62 151 28,291 2,158
Total (214 vendors) — 22% 1,742 2,748 424,584 82,501

Table I: General statistics for the top-5 vendors in our dataset.

model and fingerprint) along with some data about the pre- automatically sign apps in development environments, hence
installed applications (extracted from the Package Manager), enabling other apps signed with that certificate to access its
network operator (MNO), and user (the timezone, and the functionality without requesting any permission. Most app
MCC and MNC codes from their SIM card, if available). stores (including Google Play) will not accept the publication
We compute the MD5 hash of the device’s IMEI to identify of an app signed with a Debug certificate [9]. Furthermore,
duplicates and updated firmware versions for a given device. we also found as many as 115 certificates that only mention
Lumen: Users are required to opt in twice before initiating “Android” in the Issuer field. A large part (43%) of those
traffic interception [76]. Lumen preserves its users’ privacy certificates are supposedly issued in the US, while others
by performing flow processing and analysis on the device, seem to have been issued in Taiwan (16%), China (13%),
only sending anonymized flow metadata for research purposes. and Switzerland (13%). In the absence of a public list of
Lumen does not send back any unique identifiers, device official developer certificates, it is not possible to verify their
fingerprints, or raw traffic captures. To further protect user’s authenticity or know their owner, as discussed in Section VI.
privacy, Lumen also ignores all flows generated by browser With this in mind, we extracted 1,200 unique certificates out
apps which may potentially deanonymize a user; and allows of our dataset. Table II shows the 5 most present companies
the user to disable traffic interception at any time. in the case of phone vendors (left) and other development
III. E COSYSTEM OVERVIEW companies (right). This analysis uncovered a vast landscape
of third-party software in the long-tail, including large digital
The openness of Android OS has enabled a complex sup- companies (e.g., LinkedIn, Spotify, and TripAdvisor), as well
ply chain ecosystem formed by different stakeholders, be it as advertising and tracking services. This is the case of iron-
manufacturers, MNOs, affiliated developers, and distributors. Source, an advertising firm signing pre-installed software [43]
These actors can add proprietary apps and features to Android found in Asus, Wiko and other vendors, and TrueCaller, a
devices, seeking to provide a better user experience, add value service to block unwanted call or texts [57]. According to
to their products, or provide access to proprietary services. their website and also independent sources [40], [71], True-
However, this could also be for (mutual) financial gain [32], Caller uses crowdsourced mechanisms to build a large dataset
[14]. This section provides an overview of pre-installed An- of phone numbers used for spam and also for advertising.
droid packages to uncover some of the gray areas that surround Likewise, we have found 123 apps (by their MD5) signed
them, the large and diverse set of developers involved, the by Facebook. These apps are found in 939 devices, 68% of
presence of third-party advertising and tracking libraries, and which are Samsung’s. We have also found apps signed by
the role of each stakeholder. AccuWeather, a weather service previously found collecting
A. Developer Ecosystem personal data aggressively [87], Adups software, responsible
for the Adups backdoor [46], and GMobi [36], a mobile-
We start our study by analyzing the organizations signing advertising company previously accused of dubious practices
each pre-installed app. First, we cluster apps by the unique by the Wall Street Journal [14].
certificates used to sign them and then we rely on the informa-
tion present in the Issuer field of the certificate to identify
B. Third-party Services
the organization [15]. Despite the fact that this is the most
reliable signal to identify the organization signing the software, As in the web, mobile app developers can embed in their
it is still noisy as a company can use multiple certificates, one pre-installed software third-party libraries (TPLs) provided
for each organizational unit. More importantly, these are self- by other companies, including libraries (SDKs) provided by
signed certificates, which significantly lowers the trust that can ad networks, analytics services or social networks. In this
be put on them. section we use LibRadar++, an obfuscation-resilient tool to
We were unable to identify the company behind several identify TPLs used in Android apps [91], on our dataset to
certificates (denoted as Unknown company in Table II) due examine their presence due to the potential privacy implica-
to insufficient or dubious information in the certificate: e.g., tions for users: when present in pre-installed apps, TPLs have
the Issuer field only contains the mentions Company and the capacity to monitor user’s activities longitudinally [90],
department. We have come across apps that are signed [85]. We exclude well-known TPLs providing development
by 42 different ”Android Debug” certificates on phones from support such as the Android support library. First, we classify
21 different brands. This reflects poor and potentially insecure the 11,665 unique TPLs identified by LibRadar++ according
development practices as Android’s debug certificate is used to to the categories reported by Li et al. [83], AppBrain [51],

1042

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 Number of Certified Number of Number of
Company name Country Company name Country
certificates partner? certificates vendors
Google 92 United States N/A MediaTek 19 China 17
Motorola 65 US/China Yes Aeon 12 China 3
Asus 60 Taiwan Yes Tinno Mobile 11 China 6
Samsung 38 South Korea Yes Verizon Wireless 10 United States 5
Huawei 29 China Yes Unknown company 7 China 1
Total (vendors) 740 — — Total 460 — 214

Table II: Left: top-5 most frequent developers (as per the total number of apps signed by them), and right: for other companies.

Category # libraries # apps # vendors Example Only one of the apps embedding these SDKs is signed by
Advertisement 164 (107) 11,935 164 Braze the actual third-party service provider, which indicates that
Mobile analytics 100 (54) 6,935 158 Apptentive their presence in pre-installed apps is likely due to the app
Social networks 70 (20) 6,652 157 Twitter
developers’ design decisions.
All categories 334 25,333 165 —
C. Public and Non-public Apps
Table III: Selected TPL categories present in pre-installed
We crawled the Google Play Store to identify how many
apps. In brackets, we report the number of TPLs when grouped
of the pre-installed apps found by Firmware Scanner are
by package name.
available to the public. This analysis took place on the 19th
and PrivacyGrade [58]. We manually classified those TPLs of November, 2018 and we only used the package name of
that were not categorized by these datasets. the pre-installed apps as a parameter. We found that only
We focus on categories that could cause harm to the users’ 9% of the package names in our dataset are indexed in the
privacy, such as mobile analytics and targeted advertisement Google Play Store. For those indexed, few categories dominate
libraries. We find 334 TPLs in such categories, as summarized the spectrum of pre-installed apps according to Google Play
in Table III. We could identify advertising and tracking com- metadata, notably communication, entertainment, productivity,
panies such as Smaato (specialized in geo-targeted ads [64]), tools, and multimedia apps.
GMobi, Appnext, ironSource, Crashlytics, and Flurry. Some The low presence of pre-installed apps in the store suggests
of these third-party providers were also found shipping their that this type of software might have escaped any scrutiny
own packages in Section III-A or are prominent actors across by the research community. In fact, we have found sam-
apps published in Google Play Store [85]. We found 806 apps ples of pre-installed apps developed by prominent organi-
embedding Facebook’s Graph SDK which is distributed over zations that are not publicly available on Google Play. For
748 devices. The certificates of these apps suggests that 293 instance, software developed and signed by Facebook (e.g.,
of them were signed by the device vendor, and 30 by an com.facebook.appmanager), Amazon, and CleanMas-
operator (only 98 are signed by Facebook itself). The presence ter among others. Likewise, we found non-publicly available
of Facebook’s SDKs in pre-installed apps could, in some cases, versions of popular web browsers (e.g., UME Browser, Opera).
be explained by partnerships established by Facebook with Looking at the last update information reported by An-
Android vendors as the New York Times revealed [32]. droid’s package manager for these apps, we found that pre-
We found other companies that provide mobile analytics and installed apps also present on Google Play are updated more
app monetization schemes such as Umeng, Fyber (previously often than the rest of pre-installed apps: 74% of the non-public
Heyzap), and Kochava [85]. Moreover, we also found instances apps do not seem to get updated and 41% of them remained
of advanced analytics companies in Asus handsets such as unpatched for 5 years or more. If a vulnerability exists in one
Appsee [17] and Estimote [28]. According to their website, of these applications (see Section V), the user may stay at risk
Appsee is a TPL that allows developers to record and upload for as long as they keep using the device.
the users’ screen [16], including touch events [84]. If, by itself, IV. P ERMISSION A NALYSIS
recording the user’s screen does not constitute a privacy leak, Android implements a permissions model to control apps’
recording and uploading this data could unintentionally leak access to sensitive data and system resources [56]. By default,
private information such as account details. Estimote develops apps are not allowed to perform any protected operation.
solutions for indoors geo-localization [28]. Estimote’s SDK Android permissions are not limited to those defined by AOSP:
allows an app to react to nearby wireless beacons to, for any app developer – including manufacturers – can define their
example, send personalized push notifications to the user upon own custom permissions to expose their functionality to other
entering a shop apps [26]. We leverage Androguard [4] to extract and study
Finally, we find TPLs provided by companies specialized in the permissions, both declared and requested, by pre-installed
the Chinese market [91] in 548 pre-installed apps. The most apps. We primarily focus on custom permissions as i) pre-
relevant ones are Tencent’s SDK, AliPay (a payment service) installed services have privileged access to system resources,
and Baidu SDK [20] (for advertising and geolocation / geo- and ii) privileged pre-installed services may (involuntarily)
coding services), the last two possibly used as replacements expose critical services and data, even bypassing Android’s
for Google Pay and Maps in the Chinese market, respectively. official permission set.

1043

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
A. Declared Custom Permissions been found in 24 Android vendors, including Samsung, Asus,
We identify 1,795 unique Android package names across Xiaomi, HTC, Sony, and LG. According to users’ complaints,
108 Android vendors defining 4,845 custom permissions. two of these packages (com.facebook.appmanager and
We exclude AOSP–defined permissions and those associated com.facebook.system) seem to automatically down-
with Google’s Cloud Messaging (GCM) [37]. The number of load other Facebook software such as Instagram in users’
custom permissions declared per Android vendor varies across phones [69], [70]. We also found interactions between Face-
brands and models due to the actions of other stakeholders in book and MNOs such as Sprint.
the supply chain. We classify the organizations declaring cus- Baidu: Baidu’s geo-location permission is exposed by pre-
tom permissions in 8 groups as shown in Table IV: hardware installed apps, including core Android modules, in 7 different
vendors, MNOs (e.g., Verizon), third-party services (e.g., Face- vendors, mainly Chinese ones. This permission seems to be
book), AV firms (e.g., Avast), industry alliances (e.g., GSMA), associated with Baidu’s geocoding API [19] and could allow
chipset manufacturers (e.g., Qualcomm), and browsers (e.g., app developers to circumvent Android’s location permission.
Mozilla). We could not confidently identify the organizations Digital Turbine: We have identified 8 custom permissions
responsible for 9% of all the custom permissions.5 in 8 vendors associated with Digital Turbine and its sub-
sidiary LogiaGroup. Their privacy policy indicates that they
As shown in Table IV, 63% of all declared custom per-
collect personal data ranging from UIDs to traffic logs that
missions are defined by 31 handset vendors according to our
could be shared with their business partners, which are
classification. Most of them are associated with proprietary
undisclosed [27]. According to the SIM information of
services such as Mobile Device Management (MDM) solutions
these devices, Digital Turbine modules are mainly found
for enterprise customers. Yet three vendors account for over
in North-American and Asian users. One package name,
68% of the total custom permissions; namely Samsung (41%),
com.dti.att (“dti” stands for Digital Turbine Ignite),
Huawei (20%), and Sony (formerly Sony-Ericsson, 7%). Most
suggests the presence of a partnership with AT&T. A manual
of the custom permissions added by hardware vendors –
analysis confirms that this is the case. By inspecting their
along with chipset manufacturers, and MNOs – are exposed
source-code, this package seems to implement comprehensive
by Android core services, including the default browser
software management service. Installations and removals of
com.android.browser. Unfortunately, as demonstrated
apps by users are tracked and linked with PII, which only
in the MediaTek case [79], exposing such sensitive resources
seem to be “masked” (i.e., hashed) discretionally.
in critical services may potentially increase the attack surface
ironSource: The advertising company ironSource exposes
if not implemented carefully.
custom permissions related to its AURA Enterprise Solu-
An exhaustive analysis of custom permissions also suggests
tions [44]. We have identified several vendor-specific packages
(and in some cases confirms) the presence of service integra-
exposing custom ironSource permissions, in devices made
tion and commercial partnerships between handset vendors,
by vendors such as Asus, Wiko, and HTC (the package
MNOs, analytics services (e.g., Baidu, ironSource, and Digital
name and certificate signatures suggest that those modules are
Turbine), and online services (e.g., Skype, LinkedIn, Spotify,
possibly introduced with vendor’s collaboration). According
CleanMaster, and Dropbox). We also found custom permis-
to ironSource’s material [45], AURA has access to over
sions associated with vulnerable modules (e.g., MediaTek) and
800 million users per month, while gaining access to ad-
potentially harmful services (e.g., Adups). We discuss cases of
vanced analytics services and to pre-load software on cus-
interest below.
tomers’ devices. A superficial analysis of some of these pack-
VPN solutions: Android provides native support to third-party
ages (e.g., com.ironsource.appcloud.oobe.htc,
VPN clients. This feature is considered as highly sensitive
com.ironsource.appcloud.oobe.asus) reveals that
as it gives any app requesting access the capacity to break
they provide vendor-specific out-of-the-box-experience apps
Android’s sandboxing and monitor users’ traffic [68], [80].
(OOBE) to customize a given user’s device when the users
The analysis of custom permissions reveals that Samsung and
open their device for the first time and empower user engage-
Meizu implement their own VPN service. It is unclear why
ment [44], while also monitoring users’ activities.
these proprietary VPN implementations exist but it has been
Other Advertising and Tracking Services: Discussing every
reported as problematic by VPN developers for whom their
custom permission introduced by third-party services indi-
clients, designed for Android’s default VPN service, do not
vidually would require an analysis beyond the scope of this
run on such handsets [1], [86], [80]. A complete analysis of
paper. However, there are a couple of anecdotes of interest
these VPN packages is left for future work.
that we discuss next. One is the case of a pre-installed app
Facebook: We found 6 different Facebook packages, three signed by Vodafone (Greece) and present in a Samsung device
of them unavailable on Google Play, declaring 18 custom that exposes a custom permission associated with Exus [31],
permissions as shown in Table V. These permissions have a firm specialized in credit risk management and banking
5 While Android’s documentation recommends using reverse-domain-style
solutions. Another service declaring custom permissions in
naming for defining custom permissions to avoid collisions. [26], 269 of them Samsung and LG handsets (likely sold by Verizon) is the
– many of which are declared by a single hardware vendor – start with AOSP analytics and user engagement company Synchronoss. Its
prefixes such as android.permission.*. The absence of good development privacy policy acknowledges the collection, processing and
practices among developers complicated this classification, forcing us to
follow a semi-manual process that involved analyzing multiple signals to sharing of personal data [65].
identify their possible purpose and for attribution. Call protection services: We identify three external com-

1044

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 Custom Providers
permissions Vendor Third-party MNO Chipset AV / Security Ind. Alliance Browser Other
Total 4,845 (108) 3,760 (37) 192 (34) 195 (15) 67 (63) 46 (13) 29 (44) 7 (6) 549 (75)
Android Modules
android 494 (21) 410 (9) — 12 (2) 4 (13) — 6 (7) — 62 (17)
com.android.systemui 90 (15) 67 (11) 1 (2) — — — — — 22 (8)
com.android.settings 87 (16) 63 (12) — 1 (1) — — — — 23 (8)
com.android.phone 84 (14) 56 (9) — 5 (2) 3 (5) — — — 20 (10)
com.android.mms 59 (11) 35 (10) — 1 (2) — — 1 (1) — 22 (8)
com.android.contacts 40 (7) 32 (3) — — — — — — 8 (5)
com.android.email 33 (10) 18 (4) — — — — — — 15 (17)

Table IV: Summary of custom permissions per provider category and their presence in selected sensitive Android core modules.
The value in brackets reports the number of Android vendors in which custom permissions were found.
SIM Alliance
Package Public # Vendors # Permissions Open Mobile Alliance

Alliances
Mirrorlink
Linux Foundation
com.facebook.system No 18 2 GSMA
FIDO Alliance
com.facebook.appmanager No 15 4 ANT+

com.facebook.katana (Facebook) Yes 14 8 Truecaller

Trendmicro
Symantec
com.facebook.orca (Messenger) Yes 5 5 RSupport
Qihoo360
com.facebook.lite (FB Lite) Yes 1 1

AV/Security
Panda Security
Mcafee
com.facebook.pages.app No 1 4 Lookout
LogMeIn
Inside Secure
Total 3 24 18 Infraware
Hiya
BitDefender
Avast
AetherPal
Table V: Facebook packages on pre-installed handsets. Wingtech
Qualcomm

Chipset
NVIDIA
Mediatek
panies providing services for blocking undesired and spam Intel
Broadcom
ARM Trustzone
phone calls and text messages: Hiya [38], TrueCaller [57], Vodafone
Verizon
n
and PrivacyStar [59]. Hiya’s solution seems to be integrated Tracfone
TIM
T−Mobile 60
Sprint
by T-Mobile (US), Orange (Spain), and AT&T (US) in their Singtel
S.K. Telecom 40

MNO
Orange
subsidized Samsung and LG handsets according to the package NTT Docomo
Mobiltel BG 20
MetroPCS
signatures. Hiya and TrueCaller’s privacy policies indicate that Korea Telecom
Deutsche Telekom
Cricket
they collect personal data from end users, including contacts Bouygues
AT&T
A1 Hrvatska
stored in the device, UIDs, and personal information [39]. 6 Zalo
Yellowpages
Yandex
PrivacyStar’s privacy policy, instead, claims that any informa- Yahoo
WhatsApp
Twitter
tion collected from a given user’s contacts is “NOT exported TripAdvisor
Synchronoss
Spotify
outside the App for any purpose” [60]. Skype
Peel TV

Third−parties
Netflix
Naver
MS SwiftKey
MobilesRepublic
Microsoft
B. Used Permissions ironSource
ICE Sound
Futuredial
Flipboard
The use of permissions by pre-installed Android apps fol- facebook
Evernote
Dropbox
lows a power-law distribution: 4,736 of the package names Digital Turbine
Cleanmaster
Baidu
request at least one permission and 55 apps request more Argus/Azumio
Amazon
a2000
alcatel
allview
alps
archos
asus
blackberry
blu
bq
coolpad
doogee
fly
gionee
google
hisense
hmd
htc
huawei
lenovo
lge
meizu
motorola
oppo
oysters
samsung
sony
tcl
wiko
xiaomi
zte
that 100. The fact that pre-installed apps request many per-
missions to deliver their service does not necessarily imply Handset vendor
a breach of privacy for the user. However, we identified
a significant number of potentially over-privileged vendor- Figure 2: Permissions defined by AV firms, MNOs, chipset
and MNO-specific packages with suspicious activities such vendors and third parties, requested by pre-installed apps.
as com.jrdcom.Elabel – a package signed by TCLMo-
bile requesting 145 permissions and labeled as malicious by app (by its package name) across vendors, we can notice
Hybrid Analysis (a free online malware analysis service) – significant differences. We investigate such variations in a
and com.cube26.coolstore (144 permissions). Like- subset of 150 package names present at least in 20 different
wise, the calculator app found on a Xiaomi Mi 4c requests vendors. This list contains mainly core Android services as
user’s location and the phone state, which gives it access to well as apps signed by independent companies (e.g., Adups)
UIDs such as the IMEI. We discuss more instances of over- and chipset manufacturers (e.g., Qualcomm).
privileged apps in Section V-C. Then, we group together all the permissions requested by
Dangerous Android permissions. The median pre-installed a given package name across all device models for each
Android app requests three dangerous AOSP permissions. brand. As in the case of exposed custom permissions, we
When we look at the set of permissions requested by a given can see a tendency towards over-privileging these modules
in specific vendors. For instance, the number of permissions
6 Note: the information rendered in their privacy policy differs when crawled
requested by the core android module can range from
from a machine in the EU or the US. As of January 2019, none of these
companies mention the new European GDPR directive in their privacy 9 permissions in a Google-branded Android device to over
policies. 100 in most Samsung devices. Likewise, while the median

1045

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 wit−software
whatsapp inc. READ_LOGS
vodafone romania
vodafone portugal MOUNT_UNMOUNT_FILESYSTEMS
vodafone group
vlingo INSTALL_PACKAGES
vision objects WRITE_SECURE_SETTINGS
vire labs
verizon wireless DELETE_PACKAGES
uc
twitter UPDATE_DEVICE_STATS
tencube pte ltd.
telenav inc. SEND_RESPOND_VIA_MESSAGE
telecom italia
t−mobile BROADCAST_WAP_PUSH
synchronoss tech.
symphony media gmbh BROADCAST_SMS
sweetlabs MODIFY_PHONE_STATE
REBOOT
sprint
spotify
social hub
slacker STATUS_BAR
singtel
qlixar n WRITE_APN_SETTINGS
project goth inc
peel MASTER_CLEAR
Signature (Org)

orange
opera ACCESS_CHECKIN_PROPERTIES
ooo yandex
nuance communications
30 SET_TIME_ZONE
naranya SET_TIME
modula d.o.o.
mobilkom austria ag
20
BIND_APPWIDGET
mobiles republic
mobile systems 10 CHANGE_COMPONENT_ENABLED_STATE
mobile safe
maingames MOUNT_FORMAT_FILESYSTEMS
lbesec
ktshow ACCOUNT_MANAGER Advertisement libraries
ironsource ltd.
infraware CAPTURE_AUDIO_OUTPUT Analytics libraries
hdradio
hancom CALL_PRIVILEGED Social libraries
godaddy.com
future dial
CAPTURE_VIDEO_OUTPUT
flipboard inc.
flexilis
facebook inc. 0 50 100 150 200
evernote
diotek
digital jigsaw
Permission usage
deezer.com
cootek
cnn
cequint inc.
central antivirus
Figure 4: System permissions requested by pre-installed apps
blurb
bitnpulse
bambuser ab embedding TPLs.
baidu inc.
arcsoft
rr y

ei

vo

la

po

ng

on

iko

are apparently requested without consent – allowing them to

ht

lg

zt
aw

ro
no

op

su

ss
be

w
o
hu

ic
le

m
ot
ck

er
sa
m
a

−
bl

cause serious damage to users’ privacy when misused by apps.

ny
so

Handset vendor

Figure 3: Apps accessing vendors’ custom permissions. C. Permission Usage by TPLs

We look at the permissions used by apps embedding at least
com.android.contacts service requests 35 permissions, one TPL. We study the access to permissions with a protection
this number goes over 100 for Samsung, Huawei, Advan, and level of either signature or signature|privileged
LG devices. as they can only be granted to system apps [50] or those signed
Custom permissions. 2,910 pre-installed apps request at least with a system signature. The presence of TPLs in pre-installed
one custom permission. The heatmap in Figure 2 shows apps requesting access to a signature or dangerous permission
the number of custom permissions requested by pre-installed can, therefore, give it access to very sensitive resources without
packages in a hand-picked set of popular Android manufactur- user awareness and consent. Figure 4 shows the distribution of
ers (x-axis). As we can see, the use of custom permissions also signature permissions requested across apps embedding TPLs.
varies across vendors, with those associated with large third- We find that the most used permissions – READ_LOGS –
party analytics and tracking services (e.g., Facebook), MNOs allow the app (and thus the TPLs within it) to read system
(e.g., Vodafone), and AV/Security services (e.g., Hiya) being logs, mount and unmount filesystems, or install packages.
the most requested ones. We find no significant differences between the three types
This analysis uncovers possible partnerships beyond those of TPLs of interest. For completeness, we also find that 94
revealed in the previous sections. We identify vendor- apps embedding TPLs of interest request custom permissions
signed services accessing ironSource’s, Hiya’s, and Ac- as well. Interestingly, 53% of the 88 custom permissions used
cuWeather’s permissions. This state of affairs potentially al- by these apps are defined by Samsung.
lows third-party services and developers to gain access to
protected permissions requested by other pre-installed pack- D. Component Exposing
ages signed with the same signature. Further, we found Custom permissions are not the only mechanism avail-
Sprint-signed packages resembling that of Facebook and Face- able for app developers to expose (or access) features and
book’s Messenger APKs (com.facebook.orca.vpl and components to (or from) other apps. Android apps can also
com.facebook.katana.vpl) requesting Flurry-related interact with each other using intents, a high-level communi-
permissions (a third-party tracking service owned by Verizon). cation abstraction [42]. An app may expose its component(s)
Commercial relationships between third-party services and to external apps by declaring android:exported=true
vendors appear to be bi-directional as shown in Figure 3. This in the manifest without protecting the component with any
figure shows evidence of 87 apps accessing vendor permis- additional measure, or by adding one or more intent-filters to
sions, including packages signed by Facebook, ironSource, its declaration in the manifest; exposing it to a type of attack
Hiya, Digital Turbine, Amazon, Verizon, Spotify, various known in the literature as a confused deputy attack [79]. If
browser, and MNOs – grouped by developer signature for the exported attribute is used, it can be protected by adding
clarity purposes. As the heatmap indicates, Samsung, HTC and a permission to the component, be it a custom permission or
Sony are the vendors enabling most of the custom permissions an AOSP one, through checking the caller app’s permissions
requested by over-the-top apps. We found instances of apps programmatically in the component’s Java class.
listed on the Play Store also requesting such permissions. We sought to identify potentially careless development
Unfortunately, custom permissions are not shown to users practices that may lead to components getting exposed without
when shopping for mobile apps in the store – therefore they any additional protection. Exporting components can lead to:

1046

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
i) harmful or malicious apps launching an exposed activity, Dataset. Because of scalability limitations – our dataset com-
tricking users into believing that they are interacting with the prises 82,501 APK files with 6,496 unique package names –
benign one; ii) initiating and binding to unprotected services; we randomly select one APK file for each package name and
and iii) malicious apps gaining access to sensitive data or the analyze the resulting set of apps, obtaining an analysis report
ability to modify the app’s internal state. for 48% of them. The majority of the remaining packages
We found 6,849 pre-installed apps that potentially expose could not be analyzed due to the absence of a classes.dex
at least one activity in devices from 166 vendors and signed for odexed files. Even though in some cases we had the corre-
by 261 developer signatures with exported=true. For sponding .odex file, we generally could not deodex it since
services, 4,591 apps (present in 157 vendors) signed by the device’s Android framework file was needed to complete
183 developers including manufacturers, potentially exposed this step but Firmware Scanner did not collect it. Moreover, we
one or more of their services to external apps. The top-10 could not analyze a small subset of apps due to the limitations
vendors in our dataset account for over 70% of the potentially of our tools, including errors generated during analysis, file
exposed activities and services. Other relevant examples size limitations, or analysis tools becoming unresponsive after
include an app that potentially exposes several activities related hours of processing. Instead, we focused our analysis on the
to system configurations (device administration, networking, subset of apps for which we could generate reports.
etc.), hence allowing a malicious developer could access Results. We processed the analysis reports and identified the
or even tamper a users’ device settings. The core package presence of the 36 potentially privacy intrusive behaviors or
com.android.mms found in customized firmware versions potentially harmful behaviors listed in Table VI. The results
across several vendors also expose services to read WAP suggest that a significant fraction of the analyzed apps could
messages to other apps. We also found 8 different instances access and disseminate both user and device identifiers, user’s
of a third-party app, found in handsets built by two large location, and device current configuration. According to our
Android manufacturers, whose intended purpose is to provide flow analysis, these results give the impression that personal
remote technical support to customers. This particular service data collection and dissemination (regardless of the purpose
provides remote administration to MNOs, including the ability or consent) is not only pervasive but also comes pre-installed.
to record audio and video, browse files, access system settings, Other a priori concerning behaviors include the possible dis-
and upload/download files. The key service to do so is exposed semination of contacts and SMS contents (164 and 74 apps,
and can be misused by other apps. respectively), sending SMS (29 apps), and making phone calls
We leave the detailed study of apps vulnerable to confused (339 apps). Even though there are perfectly legitimate use
deputy attacks and the study of the access to these resources cases for these behaviors, they are also prevalent in harmful
by apps publicly available on Google Play for future work. and potentially unwanted software. The distribution of the
number of potentially harmful behaviors per app follows a
V. B EHAVIORAL A NALYSIS power-law distribution. Around 25% of the analyzed apps
present at least 5 of these behaviors, with almost 1% of
We analyze the apps in our dataset to identify potentially
the apps showing 20 or more. The bulk of the distribution
harmful and unwanted behaviors. To do this, we leverage
relates to the collection of telephony and network identifiers,
both static and dynamic analysis tools to elicit behavior and
interaction with the package manager, and logging activities.
characterize purpose and means. This section describes our
This provides a glimpse of how pervasive user and device
analysis pipeline and evidence of potentially harmful and
fingerprinting is nowadays.
privacy-intrusive pre-installed packages.
B. Traffic Analysis
A. Static Analysis
While static analysis can be helpful to determine a lower
We triage all apps to determine the presence of potentially bound of what an app is capable of, relying on this technique
harmful behaviors. This step allows us to obtain a high-level alone gives an incomplete picture of the real-world behavior
overview of behaviors across the dataset and also provides us of an app. This might be due to code paths that are not
with the basis to score apps and flag those potentially more available at the time of analysis, including those that are
interesting. This step is critical since we could only afford to within statically- and dynamically-linked libraries that are not
manually inspect a limited subset of all available apps. provided with apps, behaviors determined by server-side logic
Toolkit. Our analysis pipeline integrates various static anal- (e.g., due to real-time ad-bidding), or code that is loaded at
ysis tools to elicit behavior in Android apps, including runtime using Java’s reflection APIs. This limitation of static
Androwarn [12], FlowDroid [74], and Amandroid [92], as approaches is generally addressed by complementing static
well as a number of custom scripts based on the Apktool [13] analysis with dynamic analysis tools. However, due to various
and Androguard [4] frameworks. In this stage we do not use limitations (including missing hardware features and software
dynamic analysis tools, which prevents us from identifying components) it was unfeasible for us to run all the pre-
hidden behaviors that rely on dynamic code uploading (DEX installed apps in our dataset in an analysis sandbox. Instead,
loading) or reflection. This means that our results present a we decided to use the crowd-sourced Lumen mobile traffic
lower-bound estimation of all the possible potentially harmful dataset to find evidence of dissemination of personal data from
behaviors. We search for apps using DEX loading and reflec- the pre-installed apps by examining packages that exist in both
tion to identify targets that deserve manual inspection. datasets.

1047

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 Accessed PII type / behaviors Apps (#) Apps (%) Organization # of apps # of domains

IMEI 687 21.8 Alphabet 566 17052

IMSI 379 12 Facebook 322 3325
Amazon 201 991
Phone number 303 9.6
Verizon Communications 171 320
MCC 552 17.5 Twitter 137 101
MNC 552 17.5 Microsoft 136 408
Telephony
Operator name 315 10 Adobe 116 302
identifiers
SIM Serial number 181 5.7 AppsFlyer 98 10
SIM State 383 12.1 comScore 86 8
Current country 194 6.2 AccuWeather 86 15
SIM country 196 6.2 MoatInc. 79 20
Voicemail number 29 0.9 Appnexus 79 35
Baidu 72 69
Software version 25 0.8 Criteo 70 62
Phone state 265 8.4 PerfectPrivacy 68 28
Device settings Installed apps 1,286 40.8 Other ATS 221 362
Phone type 375 11.9
Logs 2,568 81.4 Table VII: Top 15 parent ATS organizations by number of
GPS 54 1.7 apps connecting to all their associated domains.
Cell location 158 5
Location
CID 162 5.1
LAC 137 4.3 Alphabet, the entity that owns and maintains the Android plat-
form and many of the largest advertising and tracking services
Wi-Fi configuration 9 0.3
Current network 1,373 43.5 (ATS) in the mobile ecosystem [85], also owns most of the
Network
interfaces
Data plan 699 22.2 domains to which pre-installed apps connect to. Moreover,
Connection state 71 2.3 vendors who ship their devices with the Google Play Store
Network type 345 10.9
have to go through Google’s certification program which, in
Contacts 164 11
Personal data
SMS 73 2.31
part, entails pre-loading Google’s services. Among these ser-
vices is Google’s own com.google.backuptransport
SMS sending 29 0.92
Phone service SMS interception 0 0 package, which sends a variety of information about the user
abuse Disabling SMS notif. 0 0 and the device on which it runs to Google’s servers.
Phone calls 339 10.7 Traffic analysis also confirms that Facebook and Twitter
Audio/video Audio recording 74 2.4 services come pre-installed on many phones and are integrated
interception Video capture 21 0.7 into various apps. Many devices also pre-install weather apps
Arbitrary code Native code 775 24.6 like AccuWeather and The Weather Channel. As reported by
execution Linux commands 563 17.9
previous research efforts, these weather providers also gather
Remote conn. Remote connection 89 2.8 information about the devices and their users [87], [85].
Table VI: Volume of apps accessing / reading PII or showing C. Manual Analysis: Relevant Cases
potentially harmful behaviors. The percentage is referred to
the subset of triaged packages (N = 3, 154). We used the output provided by our static and dynamic
analysis pipeline to score apps and thus flag a reduced subset
of packages to inspect manually. Our goal here was to con-
Results. Of the 3,118 pre-installed apps with Internet access fidently identify potentially harmful and unwanted behavior
permissions, 1,055 have at least one flow in the Lumen dataset. in pre-installed apps. Other apps were added to this set
At this point, our analysis of these apps focused on two main based on the results of our third-party library and permission
aspects: uncovering the ecosystem of organizations who own analysis performed in Sections III and IV, respectively. We
the domains that these apps connect to, and analyzing the manually analyzed 158 apps using standard tools that include
types of private information they could disseminate from user DEX disassemblers (baksmali), dex-to-java decompilers (jadx,
devices. To understand the ecosystem of data collection by dex2jar), resource analysis tools (Apktool), instrumentation
pre-installed apps, we studied where the data that is collected tools (Frida), and reverse engineering frameworks (radare2 and
by these apps makes its first stop. We use the Fully-Qualified IDA Pro) for native code analysis. Our main findings can be
Domain Names (FQDN) of the servers that are contacted and loosely grouped into three large categories: 1) known malware;
use the web crawling and text mining techniques described in 2) potential personal data access and dissemination; and 3)
our previous work [85] to determine the parent organization potentially harmful apps. Table VIII provides some examples
who own these domains. of the type of behaviors that we found.
The Big Players. Table VII shows the parent organizations Known Malware. We came across various isolated instances
who own the most popular domains contacted by pre-installed of known-malware in the system partition, mostly in low-
apps in the Lumen dataset. Of the 54,614 domains contacted end devices but also in some high-end phones. We identified
by apps, 7,629 belong to well-known Advertising and Track- variants of well-known Android malware families that have
ing Services (ATS) [85]. These services are represented by been prevalent in the last few years, including Triada, Rootnik,
organizations like Alphabet, Facebook, Verizon (now owner SnowFox, Xinyin, Ztorg, Iop, and dubious software developed
of Yahoo!, AOL, and Flurry), Twitter (MoPub’s parent or- by GMobi. We used VirusTotal to label these samples. Accord-
ganization), AppsFlyer, comScore, and others. As expected, ing to existing AV reports, the range of behaviors that such

1048

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 Family Potential Behavior and Prevalence
Known Malware
Triada Disseminates PII and other sensitive data (SMS, call logs, contact data, stored pictures and videos). Downloads additional stages. Roots the
device to install additional apps.
Rootnik [62] Gains root access to the device. Leaks PII and installs additional apps. Uses anti-analysis and anti-debugging techniques.
GMobi [11], [67] Gmobi Trade Service. Leaks PII, including device serial number and MAC address, geolocation, installed packages and emails. Receives
commands from servers to (1) send an SMS to a given number; (2) download and install apps; (3) visit a link; or (4) display a pop-up. It
has been identified in low-end devices.
Potentially Dangerous Apps
Rooting app Exposes an unprotected receiver that roots the device upon receiving a telephony secret code (via intent or dialing *#*#9527#*#*).
Blocker If the device does not contain a signed file in a particular location, it loads and enforces 2 blacklists: one containing 103 packages associated
with benchmarking apps, and another with 56 web domains related to phone reviews.
Potential Personal Data Access and Dissemination
TrueCaller Sends PII to its own servers and embedded third-party ATSes such as AppsFlyer, Twitter-owned MoPub, Crashlytics, inMobi, Facebook,
and others. Uploads phone call data to at least one of its own domains.
MetroName ID Disseminates PII to its own servers and also to third-party services like Piano, a media audience and engagement analytics service that
tracks user’s installation of news apps and other partners including those made by CNBC, Bloomberg, TechCrunch, and The Economist,
among others, the presence of which it reports to its own domains.
Adups [47] FOTA app. Collects and shares private and PII with their own servers and those of embedded third-party ATS domains, including Advmob
and Nexage. Found worldwide in 55 brands.
Stats/Meteor Redstone’s FOTA service. Uses dynamic code uploading and reflection to deploy components located in 2 encrypted DEX files. Disseminates
around 50 data items that fully characterize the hardware, the telephony service, the network, geolocation, and installed packages. Performs
behavioral and performance profiling, including counts of SMS/MMS, calls logs, bytes sent and transmitted, and usage stats and performance
counters on a package-basis. Silently installs packages on the device and reports what packages are installed / removed by the user.

Table VIII: Examples of relevant cases and their potential behaviors found after manual analysis of a subset of apps. When
referring to personal data dissemination, the term PII encompasses items enumerated in Table VI.
samples exhibit encompass banking fraud, sending SMS to data collected is not only remarkably extensive and multi-
premium numbers or subscribing to services, silently installing dimensional, but also very far away from being anonymous
additional apps, visiting links, and showing ads, among others. as it is linked to both user and device IDs.
While our method does not allow us to distinguish whether Potentially dangerous apps. We found 612 pre-installed
potentially malicious apps are indeed pre-installed or took apps that potentially implement engineering- or factory-mode
advantage of system vulnerabilities to install themselves in functions according to their package and app names. Such
the system partition, it is important to highlight that the functions include relatively harmless tasks, such as hardware
presence of pre-installed malware in Android devices has been tests, but also potentially dangerous functions such as the
previously reported by various sources [66], [6], [67]. Some ability to root the device. We found instances of such apps in
of the found samples use Command and Control (C2) servers which the rooting function was unprotected in their manifest
still in operation at the time of this writing. (i.e., the component was available for every other app to
Personal Data Access and Potential Dissemination. Nearly use). We also identified well-known vulnerable engineering
all apps which we identified as able to access PII, appear mode apps such like MTKLogger [82]. Such apps expose
to disseminate it to third-party servers. We also observed unprotected components that can be misused by other apps
instances of apps with capabilities to perform hardware and co-located in the device. Other examples include a well
network fingerprinting, often collected under the term “de- known manufacturer’s service, which under certain conditions
vice capability,” and even analytics services that track the blacklists connections to a pre-defined list of 56 web domains
installation and removal of apps (notably news apps, such (mobile device review and benchmarking websites, mostly)
as those made by CNBC, Bloomberg, TechCrunch, and The and disables any installed package that matches one of a list
Economist, among others). More intrusive behaviors include of 103 benchmarking apps.
apps able to collect and send email and phone call metadata.
The most extreme case we analyzed is a data collection VI. S TUDY L IMITATIONS
service contained in a FOTA service associated with Redstone Completeness and coverage. Our dataset is not complete
Sunshine Technology Co., Ltd. [61], an OTA provider that in terms of Android vendors and models, even though we
“supports 550 million phone users and IoT partners in 40 cover those with a larger market share, both in the high- and
countries” [22]. This app includes a service that can collect low-end parts of the spectrum. Our data collection process
and disseminate dozens of data items, including both user and is also best-effort. The lack of background knowledge and
device identifiers, behavioral information (counts of SMS and documentation required performing a detailed case-by-case
calls sent and received, and statistics about network flows) study and a significant amount of manual inspection. In terms
and usage statistics and performance information per installed of analyzed apps, determining the coverage of our study is
package. Overall, this software seems to implement an analyt- difficult since we do not know the total number of pre-installed
ics program that admits several monetization strategies, from apps in all shipped handsets.
optimized ad targeting to providing performance feedback to Attribution. There is currently no reliable way to accurately
both developers and manufacturers. We emphasize that the find the legitimate developer of a given pre-installed app by its

1049

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
self-signed signature. We have found instances of certificates Android permissions. Previous studies on Android permis-
with just a country code in the Issuer field, and others sions have mainly leveraged static analysis techniques to infer
with strings suggesting major vendors (e.g., Google) signed the role of a given permission [75], [78]. These studies, how-
the app, where the apps certainly were not signed by them. ever, do not cover newer versions of Android [94], or custom
The same applies to package and permission names, many permissions. In [81], Jiang et al. demonstrated how custom
of which are opaque and not named following best-practices. permissions are used to expose and protect services. Our work
Likewise, the lack of documentation regarding custom permis- complements this study by showing how device makers and
sions prevented us from automatizing our analysis. Moreover, third parties alike declare and use custom permissions, and
a deeper study of this issue would require checking whether make the first step towards a complete and in-depth analysis
those permissions are granted in runtime, tracing the code of the whole custom permissions’ landscape.
to fully identify their purpose, and finding whether they are Vulnerabilities in pre-installed apps. A recent paper by
actually used by other apps in the wild, and at scale. Wu et al. [93] also used crowdsourcing mechanisms to detect
Package Manager. We do not collect the packages.xml apps that listen to a given TCP or UDP port and analyze the
file from our users’ devices as it contains information about vulnerabilities that are caused by this practice. While their
all installed packages, and not just pre-installed ones. We study is not limited to user-installed apps, they show evidence
consider that collecting this file would be invasive. This, of pre-installed apps exhibiting this behavior.
however, limits our ability to see if user-installed apps are
VIII. D ISCUSSION AND C ONCLUSIONS
using services exposed by pre-installed apps via intents or
custom permissions. We tried to compensate for that with a This paper studied, at scale, the vast and unexplored ecosys-
manual search for public apps that use pre-installed custom tem of pre-installed Android software and its potential impact
permissions, as discussed in Section IV-D. on consumers. This study has made clear that, thanks in large
Behavioral coverage. Our study mainly relies on static anal- part to the open-source nature of the Android platform and the
ysis of the samples harvested through Firmware Scanner, and complexity of its supply chain, organizations of various kinds
we only applied dynamic analysis to a selected subset of 1,055 and sizes have the ability to embed their software in custom
packages. This prevents us from eliciting behaviors that are Android firmware versions. As we demonstrated in this paper,
only available at runtime because of the use of code loading this situation has become a peril to users’ privacy and even
and reflection, and also code downloading from third-party security due to an abuse of privilege or as a result of poor
servers. Despite this, our analysis pipeline served to identify software engineering practices that introduce vulnerabilities
a considerable amount of potentially harmful behaviors. A and dangerous backdoors.
deeper and broader analysis would possibly uncover more The Supply Chain. The myriad of actors involved in the
cases. development of pre-installed software and the supply chain
Identifying rooted devices. There is no sure way of knowing range from hardware manufacturers to MNOs and third-party
whether a device is rooted or not. While our conservative advertising and tracking services. These actors have privileged
approach limits the number of false negatives, we have found access to system resources through their presence in pre-
occurrences of devices with well-known custom ROMs that installed apps but also as third-party libraries embedded in
were not flagged as rooted by RootBeer. Moreover, we have them. Potential partnerships and deals – made behind closed
found some apps that allow a third party to root the device on- doors between stakeholders – may have made user data a
the-fly to, for example, install new apps on the system partition commodity before users purchase their devices or decide to
as discussed in Section V-C. Some of these apps can then un- install software of their own.
root the phone to avoid detection. Under the presence of such Attribution. Unfortunately, due to a lack of central authority
an app on a device, we cannot know for sure if a given package or trust system to allow verification and attribution of the self-
– particularly a potentially malicious app – was pre-installed signed certificates that are used to sign apps, and due to a lack
by an actor in the supply chain, or was installed afterwards. of any mechanism to identify the purpose and legitimacy of
many of these apps and custom permissions, it is difficult to
VII. R ELATED WORK attribute unwanted and harmful app behaviors to the party or
parties responsible. This has broader negative implications for
Android images customization. Previous work has been accountability and liability in this ecosystem as a whole.
focused on studying modifications made to AOSP images, The Role of Users and Informed Consent. In the meantime
whether by adding root certificates [89], customizing the regular Android users are, by and large, unaware of the
default apps [73], or the OS itself [95]. In [72], Aafer et presence of most of the software that comes pre-installed on
al. introduced a new class of vulnerability caused by the their Android devices and their associated privacy risks. Users
firmware customization process. If an app is removed but are clueless about the various data-sharing relationships and
a reference to it remains in the OS, a malicious app could partnerships that exist between companies that have a hand in
potentially impersonate it which could lead to privacy and deciding what comes pre-installed on their phones. Users’ ac-
security issues. While these studies have focused on Android tivities, personal data, and habits may be constantly monitored
images as a whole rather than pre-installed apps, they all show by stakeholders that many users may have never heard of, let
the complexity of the Android ecosystem and underline the alone consented to collect their data. We have demonstrated
lack of control over the supply chain. instances of devices being backdoored by companies with

1050

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
the ability to root and remotely control devices without user possible to build a certificate transparency repository dedicated
awareness, and install apps through targeted monetization and to providing details and attribution for self-signed certificates
user-acquisition campaigns. Even if users decide to stop or used to sign various Android apps, including pre-installed
delete some of these apps, they will not be able to do so since ones.
many of them are core Android services and others cannot be • Accessible documentation and consent forms: Similar to
permanently removed by the user without root privileges. It is the manner in which open-source components of Android
unclear if the users have actually consented to these practices, require any modified version of the code to be made publicly-
or if they were informed about them before using the devices available, Android devices can be required to document the
(i.e., on first boot) in the first place. To clarify this, we acquired specific set of apps that have pre-installed, along with their
6 popular brand-new Android devices from vendors including purpose and the entity responsible for each piece of software,
Nokia, Sony, LG, and Huawei from a large Spanish retailer. in a manner that is accessible and understandable to the users.
When booting them, 3 devices did not present a privacy policy This will ensure that at least a reference point exists for
at all, only the Android terms of service. The rest rendered users (and regulators) to find accurate information about pre-
a privacy policy that only mentions that they collect data installed apps and their practices. Moreover, the results of our
about the user, including PII such as the IMEI for added small-scale survey of consent forms of some Android vendors
value services. Note that users have no choice but to accept leaves a lot to be desired from a transparency perspective:
Android’s terms of service, as well as the manufacturer’s one users are not clearly informed about third-party software that
if presented to the user. Otherwise Android will simply stop is installed on their devices, including embedded third-party
booting, which will effectively make the device unusable. tracking and advertising services, the types of data they collect
Consumer Protection Regulations. While some jurisdictions from them by default, and the partnerships that allow personal
have very few regulations governing online tracking and data data to be shared over the Internet. This necessitates a new
collection, there have been a number of movements to regulate form of privacy policy suitable for pre-installed apps to be
and control these practices, such as the GDPR in the EU [29], defined (and enforced) to ensure that such practices are at
and California’s CCPA [21] in the US. While these efforts least communicated to the user in a clear and accessible way.
are certainly helpful in regulating the rampant invasion of This should be accompanied by mechanisms to enable users
users’ privacy in the mobile world, they have a long way to make informed decisions about how or whether to use such
to go. Most mobile devices still lack a clear and meaningful devices without having to root them.
mechanism to obtain informed consent, which is a potential Final Remarks. Despite a full year of efforts, we were only
violation of the GDPR. In fact, it is possible that many of the able to scratch the surface of a much larger problem. This
ATSes that come pre-installed on Android devices may not be work is therefore exploratory, and we hope it will bring more
COPPA-compliant [88] – a US federal rule to protect minors attention to the Android supply chain ecosystem and its impact
from unlawful online tracking [23] –, despite the fact that on users’ privacy and security. We have discussed our results
many minors in the US use mobile devices with pre-installed with Google which gave us useful feedback. Our work was
software that engage in data collection. This indicates that even also the basis of a report produced by the Spanish Data
in jurisdictions with strict privacy and consumer protection Protection Agency (AEPD) [3]. We will also improve the
laws, there still remains a large gap between what is done capabilities and features of both Firmware Scanner and Lumen
in practice and the enforcement capabilities of the agencies to address some of the aforementioned limitations and develop
appointed to uphold the law. methods to perform dynamic analysis of pre-installed software.
Recommendations. To address the issues mentioned above Given the scale of the ecosystem and the need for manual
and to make the ecosystem more transparent we propose inspections, we will gradually make our dataset (which keeps
a number of recommendations. which are made under the growing at the time of this writing) available to the research
assumption that stakeholders are willing to self-regulate and community and regulators to aid in future investigations and
to enhance the status quo. We are aware that some of these to encourage more research in this area.
suggestions may inevitably not align with corporate interests
of every organizations in the supply chain, and that an inde- ACKNOWLEDGMENTS
pendent third party may be needed to audit the process. Google We are deeply grateful to our Firmware Scanner users for
might be a prime candidate for it given its capacity for licens- enabling this study, and ElevenPaths for their initial support
ing vendors and its certification programs. Alternatively, in in this project. We thank the anonymous reviewers for their
absence of self-regulation, governments and regulatory bodies helpful feedback. This project is partially funded by the
could step in and enact regulations and execute enforcement US National Science Foundation (grant CNS-1564329), the
actions that wrest back some of the control from the various European Union’s Horizon 2020 Innovation Action program
actors in the supply chain. We also propose a number of (grant Agreement No. 786741, SMOOTH Project), the Spanish
actions that would help independent investigators to detect Ministry of Science, Innovation and Universities (grants Dis-
deceptive and potentially harmful behaviors. coEdge TIN2017-88749-R and SMOG-DEV TIN2016-79095-
• Attribution and accountability: To combat the difficulty in C2-2-R), and the Comunidad de Madrid (grant EdgeData-
attribution and the resulting lack of accountability, we propose CM P2018/TCS-4499). Any opinions, findings, conclusions,
the introduction and use of certificates that are signed by or recommendations expressed in this paper are those of the
globally-trusted certificate authorities. Alternatively, it may be authors and do not reflect the views of the funding bodies.

1051

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 R EFERENCES [33] Facebook’s Data Deals Are Under Criminal Investigation.
https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-
[1] AdGuard - Meizu Incompatibilities. https://github.com/AdguardTeam/ investigation.html. [Online; accessed 31-March-2019].
AdguardForAndroid/issues/800. [Online; accessed 31-March-2019]. [34] Firmware Scanner. https://play.google.com/store/apps/details?id=org.
[2] Amazon suspends sales of Blu phones for including preloaded spy- imdea.networks.iag.preinstalleduploader. [Online; accessed 31-March-
ware, again. https://www.theverge.com/2017/7/31/16072786/amazon- 2019].
blu-suspended-android-spyware-user-data-theft. [Online; accessed 31- [35] Global market share held by leading smartphone vendors.
March-2019]. https://www.statista.com/statistics/271496/global-market-share-held-
[3] Análisis del software preinstalado en dispositivos Android y riesgos para by-smartphone-vendors-since-4th-quarter-2009/. [Online; accessed
la privacidad de los usuarios. https://www.aepd.es/prensa/2019-03-18. 31-March-2019].
html. [Online; accessed 31-March-2019]. [36] GMobi — General Mobile Corporation. http://www.generalmobi.com/
[4] Androguard. https://github.com/androguard/androguard/. [Online; ac- en/. [Online; accessed 31-March-2019].
cessed 31-March-2019]. [37] Google Cloud Messaging. https://developers.google.com/cloud-
[5] Android — Certified. https://www.android.com/certified/. [Online; messaging/android/android-migrate-fcm. [Online; accessed 31-March-
accessed 31-March-2019]. 2019].
[6] Android Adware and Ransomware Found Preinstalled on High- [38] Hiya. https://hiya.com/. [Online; accessed 31-March-2019].
End Smartphones. https://www.bleepingcomputer.com/news/security/ [39] Hiya Partners. https://hiya.com/hiya-data-policy. [Online; accessed 31-
android-adware-and-ransomware-found-preinstalled-on-high-end- March-2019].
smartphones/. [Online; accessed 31-March-2019]. [40] How does Truecaller get its data? https://support.truecaller.com/hc/en-
[7] Android Certified Partners. https://www.android.com/certified/partners/. us/articles/212638485-How-does-Truecaller-get-its-data. [Online; ac-
[Online; accessed 31-March-2019]. cessed 31-March-2019].
[8] Android Compatibility Program Overview. https://source.android.com/ [41] Infinum Inc. https://infinum.co. [Online; accessed 31-March-2019].
compatibility/overview. [Online; accessed 31-March-2019]. [42] Intents and Intent Filters - Android Developers. https://developer.
[9] Android Developer Documentation. https://developer.android.com/. [On- android.com/guide/components/intents-filters. [Online; accessed 31-
line; accessed 31-March-2019]. March-2019].
[10] Android Trackers. https://fiksu.com/resources/android trackers/. [On- [43] IronSource — App monetization done right. https://www.ironsrc.com/.
line; accessed 31-March-2019]. [Online; accessed 31-March-2019].
[11] Android.Gmobi.1. https://vms.drweb.com/virus/? is=1&i=7999623& [44] IronSource - AURA. https://company.ironsrc.com/enterprise-solutions/.
lng=en. [Online; accessed 31-March-2019]. [Online; accessed 31-March-2019].
[12] Androwarn–Yet another static code analyzer for malicious Android [45] IronSource - Aura for Advertisers. https://www.slideshare.net/
applications. https://github.com/maaaaz/androwarn. [Online; accessed ironSource/aura-for-advertisers. [Online; accessed 31-March-2019].
31-March-2019]. [46] Kryptowire Discovers Mobile Phone Firmware that Transmitted Person-
[13] Apktool–A tool for reverse engineering Android apk files. https: ally Identifiable Information (PII) without User Consent or Disclosure.
//ibotpeaches.github.io/Apktool/. [Online; accessed 31-March-2019]. https://www.kryptowire.com/adups security analysis.html. [Online; ac-
[14] App Traps: How Cheap Smartphones Siphon User Data in Devel- cessed 31-March-2019].
opingmCountries. https://www.wsj.com/articles/app-traps-how-cheap- [47] Kryptowire Provides Technical Details on Black Hat 2017 Presentation:
smartphones-help-themselves-to-user-data-1530788404. [Online; ac- Observed ADUPS Data Collection & Data Transmission. https://www.
cessed 31-March-2019]. kryptowire.com/observed adups data collection behavior.html. [On-
[15] Application signing. https://developer.android.com/studio/publish/app- line; accessed 31-March-2019].
signing. [Online; accessed 31-March-2019]. [48] locationlabs by Avast. https://www.locationlabs.com/. [Online; accessed
[16] Appsee — Features. https://www.appsee.com/features. [Online; ac- 31-March-2019].
cessed 31-March-2019]. [49] Lumen Privacy Monitor. https://play.google.com/store/apps/details?id=
[17] Appsee Mobile App Analytics. https://www.appsee.com/. [Online; edu.berkeley.icsi.haystack. [Online; accessed 31-March-2019].
accessed 31-March-2019]. [50] Manifest permissions. https://developer.android.com/reference/android/
[18] Asurion. https://www.asurion.com/. [Online; accessed 31-March-2019]. Manifest.permission. [Online; accessed 31-March-2019].
[19] Baidu Geocoding API. http://api.map.baidu.com/lbsapi/geocoding-api. [51] Monetize, advertise and analyze Android apps. https://www.appbrain.
htm. [Online; accessed 31-March-2019]. com. [Online; accessed 31-March-2019].
[20] Baidu SDK. https://developer.baidu.com/. [Online; accessed 31-March- [52] OnePlus Device Root Exploit: Backdoor in EngineerMode App for Di-
2019]. agnostics Mode. https://www.nowsecure.com/blog/2017/11/14/oneplus-
[21] California Consumer Privacy Act. https://leginfo.legislature.ca.gov/ device-root-exploit-backdoor-engineermode-app-diagnostics-mode/.
faces/billTextClient.xhtml?bill id=201720180AB375. [Online; accessed [Online; accessed 31-March-2019].
31-March-2019]. [53] OnePlus left a backdoor in its devices capable of root ac-
[22] China Mobile Network Partner Redstone Moves into Robotics. https: cess. http://www.androidpolice.com/2017/11/15/oneplus-left-backdoor-
//www.prweb.com/releases/2017/04/prweb14212503.htm. [Online; ac- devices-capable-root-access/. [Online; accessed 31-March-2019].
cessed 31-March-2019]. [54] OnePlus OxygenOS built-in analytics. https://www.chrisdcmoore.co.uk/
[23] COPPA - Children’s Online Privacy Protection Act. http://coppa.org/. post/oneplus-analytics/. [Online; accessed 31-March-2019].
[Online; accessed 31-March-2019]. [55] OnePlus Secret Backdoor. https://www.theregister.co.uk/2017/11/14/
[24] CVE-2017-2709. https://cve.mitre.org/cgi-bin/cvename.cgi?name= oneplus backdoor/. [Online; accessed 31-March-2019].
CVE-2017-2709. [Online; accessed 31-March-2019]. [56] Permissions overview. https://developer.android.com/guide/topics/
[25] CVE-2017-2709. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve- permissions/overview.html. [Online; accessed 31-March-2019].
2015-0864. [Online; accessed 31-March-2019]. [57] Phone Number Search — TrueCaller. https://www.truecaller.com/.
[26] Define a Custom Permission. https://developer.android.com/guide/ [Online; accessed 31-March-2019].
topics/permissions/defining. [Online; accessed 31-March-2019]. [58] Privacy Grade. http://privacygrade.org. [Online; accessed 31-March-
[27] Digital Turbine - Privacy Policy. https://www.digitalturbine.com/ 2019].
privacy-policy/. [Online; accessed 31-March-2019]. [59] PrivacyStar. https://privacystar.com. [Online; accessed 31-March-2019].
[28] Estimote — indoor location with bluetooth beacons and mesh. https: [60] PrivacyStar Privacy Policy. https://privacystar.com/privacy-policy/. [On-
//estimote.com/. [Online; accessed 31-March-2019]. line; accessed 31-March-2019].
[29] EU General Data Protection Regulation (GDPR). https://eugdpr.org/. [61] Redstone. http://www.redstone.net.cn/. [Online; accessed 31-March-
[Online; accessed 31-March-2019]. 2019].
[30] Europe should be wary of Huawei, EU tech official says. https: [62] Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals
//www.reuters.com/article/us-eu-china-huawei-idUSKBN1O611X. [On- Private Information. https://unit42.paloaltonetworks.com/rootnik-
line; accessed 31-March-2019]. android-trojan-abuses-commercial-rooting-tool-and-steals-private-
[31] EXUS. https://www.exus.co.uk. [Online; accessed 31-March-2019]. information/. [Online; accessed 31-March-2019].
[32] Facebook Gave Device Makers Deep Access to Data on Users and [63] Simple to use root checking Android library. https://github.com/scottyab/
Friends. https://www.nytimes.com/interactive/2018/06/03/technology/ rootbeer. [Online; accessed 31-March-2019].
facebook-device-partners-users-friends-data.html. [Online; accessed 31-
March-2019].

1052

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
[64] Smaato Blog. https://blog.smaato.com/everything-you-need-to-know- [81] J IANG , Y. Z. X., AND X UXIAN , Z. Detecting Passive Content Leaks
about-location-based-mobile-advertising. [Online; accessed 31-March- And Pollution In Android Applications. In Proceedings of the Network
2019]. and Distributed System Security Symposium (NDSS) (2013).
[65] Synchronoss Technologies - Privacy Policy. https://synchronoss.com/ [82] J OHNSON , RYAN AND S TAVROU , A NGELOS AND B ENAMEUR , A ZZE -
privacy-policy/#datacollected. [Online; accessed 31-March-2019]. DINE . All Your SMS & Contacts Belong to ADUPS & Oth-
[66] Triada Trojan Found in Firmware of Low-Cost Android Smartphones. ers. https://www.blackhat.com/docs/us-17/wednesday/us-17-Johnson-
https://www.bleepingcomputer.com/news/security/android-adware-and- All-Your-SMS-&-Contacts-Belong-To-Adups-&-Others.pdf. [Online;
ransomware-found-preinstalled-on-high-end-smartphones/. [Online; accessed 31-March-2019].
accessed 31-March-2019]. [83] L I , L., B ISSYAND É , T. F., K LEIN , J., AND L E T RAON , Y. An investi-
[67] Upstream - Low-end Android smartphones sold with pre-installed ma- gation into the use of common libraries in android apps. In Proceedings
licious software in emerging markets. https://www.upstreamsystems. of the International Conference on Software Analysis, Evolution, and
com/pre-installed-malware-android-smartphones/. [Online; accessed 31- Reengineering (SANER) (2016).
March-2019]. [84] PAN , E., R EN , J., L INDORFER , M., W ILSON , C., AND C HOFFNES , D.
[68] VPN Service. https://developer.android.com/reference/android/net/ Panoptispy: Characterizing Audio and Video Exfiltration from Android
VpnService. [Online; accessed 31-March-2019]. Applications. Proceedings of the Privacy Enhancing Technologies
[69] What is “com,facebook,app manager” and why is it trying to download Symposium (PETS) 2018.
Instagram, Facebook, and Messenger. https://forums.androidcentral. [85] R AZAGHPANAH , A., N ITHYANAND , R., VALLINA -RODRIGUEZ , N.,
com/android-apps/547447-what-com-facebook-app-manager-why- S UNDARESAN , S., A LLMAN , M., K REIBICH , C., AND G ILL , P. Apps,
trying-download-instagram-facebook-messenge.html. [Online; accessed Trackers, Privacy, and Regulators: A Global Study of the Mobile
31-March-2019]. Tracking Ecosystem. In Proceedings of the Network and Distributed
[70] XDA-Developers Forum (Galaxy Note 4). com.facebook.appmanager. System Security Symposium (NDSS) (2018).
https://forum.xda-developers.com/note-4/themes-apps/com-facebook- [86] R AZAGHPANAH , A., VALLINA -RODRIGUEZ , N., S UNDARESAN , S.,
appmanager-t2919151. [Online; accessed 31-March-2019]. K REIBICH , C., G ILL , P., A LLMAN , M., AND PAXSON , V. Haystack:
[71] Your Data Is Our Data: A Truecaller Breakdown. https://techcabal.com/ In situ mobile traffic analysis in user space. arXiv preprint
2018/05/02/your-data-is-our-data-a-truecaller-breakdown/. [Online; ac- arXiv:1510.01419 (2015).
cessed 31-March-2019]. [87] R EN , J., L INDORFER , M., D UBOIS , D. J., R AO , A., C HOFFNES , D.,
[72] A AFER , Y., Z HANG , N., Z HANG , Z., Z HANG , X., C HEN , K., WANG , AND VALLINA -RODRIGUEZ , N. Bug Fixes, Improvements,... and
X., Z HOU , X., D U , W., AND G RACE , M. Hare Hunting In The Wild Privacy Leaks.
Android: A Study On The Threat Of Hanging Attribute References. In [88] R EYES , I., W IJESEKERA , P., R EARDON , J., O N , A. E. B., R AZAGH -
Proceedings of the ACM Conference on Computer and Communication PANAH , A., VALLINA -RODRIGUEZ , N., AND E GELMAN , S. ”Won’t
Security (CCS) (2015). Somebody Think of the Children?” Examining COPPA Compliance at
[73] A AFER , Y., Z HANG , X., AND D U , W. Harvesting Inconsistent Security Scale. Proceedings of the Privacy Enhancing Technologies Symposium
Configurations In Custom Android ROMs Via Differential Analysis. In (PETS) (2018).
Proceedings of the USENIX Security Symposium (2016). [89] VALLINA -RODRIGUEZ , N., A MANN , J., K REIBICH , C., W EAVER , N.,
[74] A RZT, S., R ASTHOFER , S., F RITZ , C., B ODDEN , E., BARTEL , A., AND PAXSON , V. A Tangled Mass: The Android Root Certificate Stores.
K LEIN , J., L E T RAON , Y., O CTEAU , D., AND M C DANIEL , P. Flow- In Proceedings of the International Conference on Emerging Networking
droid: Precise context, flow, field, object-sensitive and lifecycle-aware EXperiments and Technologies (CoNEXT) (2014).
taint analysis for android apps. Proceedings of the ACM Special Interest [90] VALLINA -RODRIGUEZ , N., S HAH , J., F INAMORE , A., G RUNEN -
Group on Programming Languages (SIGPLAN) (2014). BERGER , Y., PAPAGIANNAKI , K., H ADDADI , H., AND C ROWCROFT,
[75] AU , K. W. Y., Z HOU , Y. F., H UANG , Z., AND L IE , D. PScout: J. Breaking for commercials: characterizing mobile advertising. In
Analyzing The Android Permission Specification. In Proceedings of Proceedings of the Internet Measurement Conference (IMC) (2012).
the ACM Conference on Computer and Communication Security (CCS) [91] WANG , H., L IU , Z., L IANG , J., VALLINA -RODRIGUEZ , N., G UO , Y.,
(2012). L I , L., TAPIADOR , J., C AO , J., AND X U , G. Beyond Google Play: A
[76] D ITTRICH , D., AND K ENNEALLY, E. The Menlo Report: Ethical Large-Scale Comparative Study of Chinese Android App Markets. In
principles guiding information and communication technology research. Proceedings of the Internet Measurement Conference (IMC) (2018).
US Department of Homeland Security (2012). [92] W EI , F., ROY, S., O U , X., AND ROBBY. Amandroid: A Precise and
[77] D R W EB. Trojan preinstalled on Android devices infects applications’ General Inter-component Data Flow Analysis Framework for Security
processes and downloads malicious modules. http://news.drweb.com/ Vetting of Android Apps. In Proceedings of the ACM Conference on
news/?i=11390&lng=en. [Online; accessed 31-March-2019]. Computer and Communication Security (CCS) (2014).
[78] F ELT, A. P., C HIN , E., H ANNA , S., S ONG , D., AND WAGNER , D. An- [93] W U , D., G AO , D., C HANG , R. K. C., H E , E., C HENG , E. K. T., ,
droid Permissions Demystified. In Proceedings of the ACM Conference AND D ENG , R. H. Understanding Open Ports In Android Applications:
on Computer and Communication Security (CCS) (2011). Discovery, Diagnosis, And Security Assessment. Proceedings of the
[79] F ELT, A. P., WANG , H. J., M OSHCHUK , A., H ANNA , S., AND C HIN , Network and Distributed System Security Symposium (NDSS) (2019).
E. Permission Re-Delegation: Attacks And Defenses. In Proceedings [94] Z HAUNIAROVICH , Y., AND G ADYATSKAYA , O. Small Changes, Big
of the USENIX Security Symposium (2011). Changes: An Updated View On The Android Permission System. In
[80] I KRAM , M., VALLINA -RODRIGUEZ , N., S ENEVIRATNE , S., K AAFAR , Research in Attacks, Intrusions, and Defenses (2016).
M. A., AND PAXSON , V. An analysis of the privacy and security risks [95] Z HOU , X., L EE , Y., Z HANG , N., NAVEED , M., AND WANG , X. The
of android vpn permission-enabled apps. In Proceedings of the Internet Peril Of Fragmentation: Security Hazards In Android Device Driver
Measurement Conference (IMC) (2016). Customizations. In IEEE Symposium on Security and Privacy (SP)
(2014).

1053

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
 A PPENDIX Country Vendors Vendor’s
Samples
(N=130) share
Total Unique
A. Userbase distribution
USA 12% 36 11 17%
Table IX describes our userbase geographical distribution. Spain 6% 24 3 11%
Indonesia 6% 26 7 12%
Italy 5% 15 6 7%
UK 4% 19 6 9%
Mexico 3% 17 3 8%
Thailand 3% 28 12 13%
Germany 3% 21 2 10%
Belgium 2% 17 4 8%
Netherlands 2% 16 2 8%
Total countries 130 — 214

Table IX: Geographical distribution of our users. Only the top

10 countries are shown.

1054

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.
B. Custom permissions
Table X reports a subset of custom permissions defined by device vendors, MNOs, third-party services, and chipset
manufacturers.

MANUFACTURER PERMISSIONS
Package name Developer Signature Vendor(s) Permission
com.sonyericsson.facebook.proxylogin Sony Ericsson (SE) Sony com.sonyericsson.permission.FACEBOOK
com.sonymobile.twitter.account Sony Ericsson (SE) Sony com.sonymobile.permission.TWITTER
android Sony Ericsson (SE) Sony com.sonymobile.googleanalyticsproxy.permission.GOOGLE ANALYTICS
com.htc.socialnetwork.facebook Android (TW) HTC *.permission.SYSTEM USE
com.sonymobile.gmailreaderservice Sony Ericsson (SE) Sony com.sonymobile.permission.READ GMAIL
com.sec.android.daemonapp Samsung Corporation (KR) Samsung *.ap.accuweather.ACCUWEATHER DAEMON ACCESS PROVIDER
android Lenovo (CN) Lenovo android.permission.LENOVO MDM
com.asus.loguploaderproxy AsusTek (TW) Asus asus.permission.MOVELOGS
com.miui.core Xiaomi (CN) Xiaomi miui.permission.DUMP CACHED LOG
android Samsung (KR) Samsung com.sec.enterprise.knox.KNOX GENERIC VPN
com.sec.enterprise.permissions Samsung (KR) Samsung android.permission.sec.MDM ENTERPRISE VPN SOLUTION
com.android.vpndialogs Meizu (CN) Meizu com.meizu.permission.CONTROL VPN

MNO PERMISSIONS
Package name Developer Signature MNO Permission
com.android.mms ZTE T-Mobile US com.tmobile.comm.RECEIVE METRICS
com.lge.ipservice LG T-Mobile US com.tmobile.comm.RECEIVE METRICS
hr.infinum.mojvip Infinum (HR) [41] H1 Croatia hr.infinum.mojvip.permission.RECEIVE ADM MESSAGE
com.locationlabs.cni.att AT&T (US) AT&T (US) [48] com.locationlabs.cni.att.permission.BROADCAST
com.asurion.android.verizon.vms Asurion (US) [18] Verizon (US) com.asurion.android.verizon.vms.permission.C2D MESSAGE
jp.naver.line.android Naver (JP) South Korea Telekom com.skt.aom.permission.AOM RECEIVE

THIRD-PARTY SERVICE PERMISSIONS

Package name Developer Signature Provider Permission
com.facebook.system Facebook Facebook *.ACCESS
com.amazon.kindle Amazon Amazon com.amazon.identity.auth.device.perm.AUTH SDK
com.huawei.android.totemweather Huawei (CN) Baidu android.permission.BAIDU LOCATION SERVICE
com.oppo.findmyphone Oppo (CN) Baidu android.permission.BAIDU LOCATION SERVICE
com.dti.sliide Logia Digital Turbine com.digitalturbine.ignite.ACCESS LOG
com.dti.att Logia Digital Turbine com.dti.att.permission.APP EVENTS
com.ironsource.appcloud.oobe.wiko ironSource ironSource com.ironsource.aura.permission.C2D MESSAGE
com.vcast.mediamanager Verizon (US) Synchronoss com.synchronoss.android.sync.provider.FULL PERMISSION
com.myvodafone.android Vodafone (GR) Exus uk.co.exus.permission.C2D MESSAGE
com.trendmicro.freetmms.gmobi TrendMicro (TW) GMobi com.trendmicro.androidmup.ACCESS TMMSMU REMOTE SERVICE
com.skype.rover Skype (GB) Skype com.skype.android.permission.READ CONTACTS
com.cleanmaster.sdk Samsung (KR) CleanMaster com.cleanmaster.permission.sdk.clean
com.netflix.partner.activation Netflix (US) Netflix *.permission.CHANNEL ID

CHIPSET PERMISSIONS
Package name Developer Signature Provider Permission
com.qualcomm.location ZTE (CN) Qualcomm com.qualcomm.permission.IZAT
com.mediatek.mtklogger TCL (CN) MediaTek com.permission.MTKLOGGER
com.android.bluetooth Samsung (KR) Broadcom broadcom.permission.BLUETOOTH MAP

Table X: Custom permission examples. The wildcard * represents the package name whenever the permission prefix and the
package name overlap.

1055

Authorized licensed use limited to: IEEE Xplore. Downloaded on March 09,2024 at 23:46:18 UTC from IEEE Xplore. Restrictions apply.