1 An Analysis of Pre-installed Android Software Julien Gamba∗y, Mohammed Rashedy, Abbas Razaghpanahz, Juan Tapiador y and Narseo Vallina-Rodriguez∗x ∗ IMDEA Networks Institute, y Universidad Carlos III de Madrid, z Stony Brook University, x ICSI Abstract end up packaged together in the firmware of a device is not The open-source nature of the Android OS makes it possible transparent, and various isolated cases reported over the last for manufacturers to ship custom versions of the OS along with few years suggest that it lacks end-to-end control mechanisms a set of pre-installed apps, often for product differentiation. to guarantee that shipped firmware is free from vulnerabili- Some device vendors have recently come under scrutiny ties [24], [25] or potentially malicious and unwanted apps. For for potentially invasive private data collection practices and example, at Black Hat USA 2017, Johnson et al. [82], [47] other potentially harmful or unwanted behavior of the pre- gave details of a powerful backdoor present in the firmware installed apps on their devices. Yet, the landscape of pre- of several models of Android smartphones, including the installed software in Android has largely remained unexplored, popular BLU R1 HD. In response to this disclosure, Amazon particularly in terms of the security and privacy implications of removed Blu products from their Prime Exclusive line-up [2]. such customizations. In this paper, we present the first large- A company named Shanghai Adups Technology Co. Ltd. was scale study of pre-installed software on Android devices from pinpointed as responsible for this incident. The same report more than 200 vendors. Our work relies on a large dataset also discussed the case of how vulnerable core system services of real-world Android firmware acquired worldwide using (e.g., the widely deployed MTKLogger component developed crowd-sourcing methods. This allows us to answer questions by the chipset manufacturer MediaTek) could be abused by related to the stakeholders involved in the supply chain, from co-located apps. The infamous Triada trojan has also been device manufacturers and mobile network operators to third- recently found embedded in the firmware of several low-cost party organizations like advertising and tracking services, and Android smartphones [77], [66]. Other cases of malware found social network platforms. Our study allows us to also uncover pre-installed include Loki (spyware and adware) and Slocker relationships between these actors, which seem to revolve (ransomware), which were spotted in the firmware of various primarily around advertising and data-driven services. Overall, high-end phones [6]. the supply chain around Android’s open source model lacks Android handsets also play a key role in the mass-scale transparency and has facilitated potentially harmful behaviors data collection practices followed by many actors in the dig- and backdoored access to sensitive data and services with- ital economy, including advertising and tracking companies. out user consent or awareness. We conclude the paper with OnePlus has been under suspicion of collecting personally recommendations to improve transparency, attribution, and identifiable information (PII) from users of its smartphones accountability in the Android ecosystem. through exceedingly detailed analytics [55], [54], and also de- ploying the capability to remotely root the phone [53], [52]. In I. INTRODUCTION July 2018 the New York Times revealed the existence of secret The openness of the Android source code makes it possible agreements between Facebook and device manufacturers such for any manufacturer to ship a custom version of the OS along as Samsung [32] to collect private data from users without their with proprietary pre-installed apps on the system partition. knowledge. This is currently under investigation by the US Most handset vendors take this opportunity to add value to Federal authorities [33]. Additionally, users from developing arXiv:1905.02713v1 [cs.CR] 7 May 2019 their products as a market differentiator, typically through countries with lax data protection and privacy laws may be at partnerships with Mobile Network Operators (MNOs), online an even greater risk. The Wall Street Journal has exposed the social networks, and content providers. Google does not forbid presence of a pre-installed app that sends users’ geographical this behavior, and it has developed its Android Compatibility location as well as device identifiers to GMobi, a mobile- Program [8] to set the requirements that the modified OS must advertising agency that engages in ad-fraud activities [14], fulfill in order to remain compatible with standard Android [67]. Recently, the European Commission publicly expressed apps, regardless of the modifications introduced. Devices made concern about Chinese manufacturers like Huawei, alleging by vendors that are part of the Android Certified Partners that they were required to cooperate with national intelligence program [5] come pre-loaded with Google’s suite of apps services by installing backdoors on their devices [30]. (e.g., the Play Store and Youtube). Google does not provide details about the certification processes. Companies that want Research Goals and Findings to include the Google Play service without the certification To the best of our knowledge, no research study has so can outsource the design of the product to a certified Original far systematically studied the vast ecosystem of pre-installed Design Manufacturer (ODM) [7]. Android software and the privacy and security concerns asso- Certified or not, not all pre-installed software is deemed as ciated with them. This ecosystem has remained largely unex- wanted by users, and the term “bloatware” is often applied plored due to the inherent difficulty to access such software to such software. The process of how a particular set of apps at scale and across vendors. This state of affairs makes such 2 an study even more relevant, since i) these apps – typically app ecosystem as a whole [78], [84], [85], we find that unavailable on app stores – have mostly escaped the scrutiny of it is also quite prevalent in pre-installed apps. We have researchers and regulators; and ii) regular users are unaware identified instances of user tracking activities by pre- of their presence on the device, which could imply lack of installed Android software – and embedded third-party consent in data collection and other activities. libraries – which range from collecting the usual set of PII In this paper, we seek to shed light on the presence and and geolocation data to more invasive practices that include behavior of pre-installed software across Android devices. In personal email and phone call metadata, contacts, and a particular, we aim to answer the questions below: variety of behavioral and usage statistics in some cases. We also found a few isolated malware samples belonging to • What is the ecosystem of pre-installed apps, including all actors in the supply chain? known families, according to VirusTotal, with prevalence in the last few years (e.g., Xynyin, SnowFox, Rootnik, Triada • What are the relationships between vendors and other stake- holders (e.g., MNOs and third-party services)? and Ztorg), and generic trojans displaying a standard set of malicious behaviors (e.g., silent app promotion, SMS • Do pre-installed apps collect private and personally- identifiable information (PII)? If so, with whom do they fraud, ad fraud, and URL click fraud). share it? All in all, our work reveals complex relationships between • Are there any harmful or other potentially dangerous apps actors in the Android ecosystem, in which user data seems among pre-installed software? to be a major commodity. We uncover a myriad of actors involved in the development of mobile software, as well as To address the points described above, we developed a poor software engineering practices and lack of transparency in research agenda revolving around four main items: the supply chain that unnecessarily increase users’ security and 1) We collected the firmware and traffic information from privacy risks. We conclude this paper with various recommen- real-world devices using crowd-sourcing methods (xII). We dations to palliate this state of affairs, including transparency obtained the firmware from 2,748 users spanning 1,742 models to improve attribution and accountability, and clearer device models from 214 vendors. Our user base covers mechanisms to obtain informed consent. Given the scale of 130 countries from the main Android markets. Our dataset the ecosystem and the need to perform manual inspections, contains 424,584 unique firmware files, but only 9% of the we will gradually make our dataset available to the research collected APKs were found in Google Play. We comple- community and regulators to boost investigations. ment this dataset with traffic flows associated with 139,665 unique apps, including pre-installed ones, provided by over II. DATA COLLECTION 20.4K users of the Lumen app [86] from 144 countries. To Obtaining pre-installed apps and other software artifacts the best of our knowledge, this is the largest dataset of (e.g., certificates installed in the system root store) at scale is real-world Android firmware analyzed so far. challenging. As purchasing all the mobile handset models (and 2) We performed an investigation of the ecosystem of pre- their many variations) available in the market is unfeasible, installed Android apps and the actors involved (xIII) by we decided to crowdsource the
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages17 Page
-
File Size-