Updated On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.
The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google (and Alphabet) CEO Sundar Pichai asking him "to take action against exploitative pre-installed software on Android devices."
Their concern is that almost all (91 per cent) Android apps installed on devices by Google's Android partners prior to sale do not face the same security scrutiny as Android apps distributed to device users through Google Play. These pre-installed apps cannot be deleted and may collect user user data without consent or perform other undesired functions. And they play by a different set of rules than Google Play apps.
"These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model," the letter says. "This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions."
The groups are particularly concerned about "the exploitative business practices of cheap smartphone manufacturers." They argue that lack of income should not mean Android users lose their privacy rights.
They want Google to provide a way to uninstall pre-installed apps and related background services permanently, to apply the same security review that Play-submitted apps receive, to support an update mechanism for these apps without a user account, and to actually refuse to certify partner devices if they contain exploitative software.
Underscoring these concerns, security vendor Malwarebytes said that Assurance Wireless by Virgin Mobile, supported by the US government's Lifeline Assistance program, distributes the $35 UMX U686CL phone with two pre-installed apps that appear to be malicious.
The first is an updater named Wireless Update that shows up in Malwarebytes' threat database as as Android/PUP.Riskware.Autoins.Fota.fbcvd. The app is "a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers," said senior malware intelligence analyst Nathan Collier in a blog post.
The second is the phone's Settings app, which incorporates obfuscated malware that the security biz identifies as Android/Trojan.Dropper.Agent.UMX. The dubious code shares similarities with other known Trojan droppers; in this instance, according to Collier, it installs malware called Android/Trojan.HiddenAds.
Attempting to remove this software can pose problems. Without Wireless Update, the phone no longer gets updates automatically. Removing the Settings app, however, may cripple the device. Collier offers remediation guidance, but it involves command line fiddling that demands some technical sophistication and may not work.
Collier reaches the same conclusion as the civic groups haranguing Google's CEO: "Budget should not dictate whether a user can remain safe on his or her mobile device."
Virgin Mobile did not immediately respond to a request for comment and Assurance Wireless's website returned an error at the time this story was filed, possibly due to the unexpected public attention following from the Malwarebytes report.
Google also did not immediately respond to a request for comment.
Incidentally, in March, the search biz will offer Android customers in the European Economic Area (which includes Britain) a limited menu of default search providers on new devices as a result of European Commission antitrust action last year.
The Chocolate Factory on Thursday published its list of rivals – determined by periodic auctions, with proceeds paid to Google – that will be featured (through June) in the search choice menu presented in each EEA country. Android users, when setting up their devices, will be able to use the menu to select a default search engine other than Google, if they wish. ®
Updated to add
In a statement emailed after this story was filed, a Virgin Mobile representative disputed Malwarebytes’ claim. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” the Virgin spokesperson said.