A user buys a new Android mobile. It does not matter the brand. Open the box, press the power button, the mobile connects to the internet and, without doing anything else, just start the most sophisticated surveillance machine on their routines.
It does not matter anymore if you download Facebook, activate your Google account or give all the permissions to a rare flashlight app or antivirus. Before any action, your new mobile phone has begun to share details of your life. The software that comes pre-installed as standard is the most perfect resource of that mobile to know its future activity: where it is, what is downloaded, what messages it sends, what music files it has.
"The preinstalled apps are the manifestation of another phenomenon: agreements between actors (manufacturers, data merchants, operators, advertisers) to give, in principle, added value but also for commercial purposes." The element of gravity is provided by the scale: we talk about hundreds or thousands of millions of Android phones, "says Juan Tapiador, a professor at the Carlos III University and one of the authors of the research that reveals this sub-world. Android phones represent more than 80% of the global market.
"The element of gravity is provided by the scale: we speak of hundreds or thousands of millions of Android phones"
The new international research conducted by two Spanish academics, Narseo Vallina-Rodríguez, of IMDEA Networks and the ICSI (University of Berkeley) and Tapiador, reveals the depth of the abyss. None of the findings by itself is radically new: it is known that mobiles play on the red line of permits at the time of collect and share data. The novelty of the role of pre-installed apps lies in their extension, lack of transparency and privileged position within the mobile: they have analyzed 1,742 mobile phones from 214 manufacturers in 130 countries.
"Until now, research on mobile privacy risks has focused on apps that are listed on Google Play or on samples of malware "says Vallina. Now they have looked at what the mobiles bring as standard and it seems out of control. Due to the complexity of the ecosystem, the privacy guarantees of the Android platform may be in question.
The article, which will be officially published on April 1 and to which EL PAÍS has had access, has already been accepted by one of the world's leading cybersecurity and privacy conferences, the IEEE Symposium on Security & Privacy in California.
Our personal information is sent to a wide network of destinations, which changes according to the mobile, and some are controversial: to servers of the mobile manufacturer, to companies usually accused of spying in our lives -Facebook, Google- and a dark world that goes from corporations to start-ups They collect the personal information of each one, package it with an identifier that is linked to our name and sell it to who pays well.
Our personal information is sent to a wide network of destinations, some controversial
Nobody before had looked into this abyss to make an investigation of this draft. The researchers created the Firmware Scanner app, which collected the pre-installed software from the volunteer users who downloaded it. For the study they analyzed more than 1,700, but they already have more than eight thousand. The open code of the Android operating system allows any manufacturer to have its version, along with its pre-installed apps. A mobile can have more than 100 pre-installed apps and hundreds of other libraries, which are third-party services included in its code, many of them specialized in user surveillance and advertising.
In total, an international panorama of hundreds of thousands of applications with common, dubious, unknown, dangerous or potentially criminal functions. This almost perfect definition of chaos led the five researchers to more than a year of exploration. The result is just a first look at the precipice of massive surveillance of our Android phones without user knowledge.
More than one manufacturer
An Android mobile is not the product of its manufacturer alone. The statement is surprising, but several companies participate in the production chain: the chip is a brand, the operating system updates can be outsourced, telephone operators or large businesses that sell mobile add their own software. The actors that participate in shaping a mobile phone go far beyond the name they put in the box. The final control of all the software that is placed there and that has privileged access to the user's data is intrazable.
The result is an uncontrolled ecosystem, where no one is capable today of taking responsibility for what happens with our most intimate information. Google created the platform from free code, but now it belongs to everyone. And what belongs to everyone belongs to no one: "The Android world is very jungle, it's like the far west, especially in countries with little regulation of personal data protection, "says Tapiador.
"There is no type of supervision over what is imported and marketed at the software level (and to a large extent hardware) within the European Union," says Vallina. The result? A chaos where each version of our Android phones converse with your base from the first day, without interruption, to tell you what we do. The problem is not only what they tell us, but the owner of the mobile does not control what gives permissions.
The closed garden of Google Play
Companies that collect user data to, for example, create profiles for advertisers already have access to user data through normal Google Play apps. What interest then does a data merchant have in reaching agreements with manufacturers to be in the pre-installed software?
Imagine that our data is inside a multi-storey house. Google Play apps are windows that we open and close: sometimes we let the data out and sometimes we do not. It depends on the surveillance of each user and the permissions that he gives. But what that user does not know is that Android phones come with the street door wide open. It does not matter what you do with the windows.
The preinstalled software is always there, it accompanies us everywhere and in all corners of the phone, and also can not be deleted without "rooting" the device, which is to break the protection provided by the system to do with it what you want and is something that is not available to ordinary users.
That user does not know that Android phones come with the street door wide open
The apps that the user downloads from Google Play give the option to see the permissions that it asks: do you allow your new free game to access your microphone? Do you allow your new app to have better productivity access to your location? If we think too many permissions, we can delete it. The applications that Google monitors have their terms of service and must ask for explicit permission to execute actions.
The user, although not fixed or have no choice, is ultimately responsible for their decisions. You are giving permission for someone to access your contacts. But the pre-installed apps are already there. They live below the apps indexed in the Store, without clear permissions or, in many cases, with the same permissions as the operating system. That is, everyone. "Google Play is a closed garden with its cops, but 91% of the pre-installed applications we've seen are not on Google Play," says Tapiador. Outside of Google Play, nobody monitors in detail what ends up inside a mobile.
Two added problems
The preinstalled software has two additional problems: one, they are next to the operating system, which has access to all the functions of a mobile, and two, those apps can be updated and mutated.
The operating system is the brain of the mobile. He has access to everything always. It does not depend on whether the app is running or that the user can erase it. It will always be there and, in addition, it will be updated. Why are the updates important? Here is an example: a manufacturer has given permission to a company to put on the mobile code to check something innocuous. But that code can be updated and, two months later or when the company knows that the user lives in that country and works in that place, send an update to do other things. Which? Whatever it is: record conversations, take photos, look at messages.
Pre-installed apps are easy to update by their creator: if you change the country or the intentions of who has placed a tracking system there, you will be sent new software with new orders. The owner of your mobile phone can not stop it and you are not even asked for specific permissions: your operating system is updated.
"That information is sometimes huge: technical features of the phone, unique identifiers, location, contacts, messages or emails"
"Some of those apps call home asking for instructions and send information about where they are installed, that information is sometimes huge: extensive reports with technical features of the phone, unique identifiers, location, contacts in the calendar, messages or emails. It collects a server and makes a decision about what to do with that phone, for example, depending on the country you are in, you can decide to install one app or another, or promote some ads or others. analyzing the code and behavior of the apps"says Tapiador.
The server that receives the information goes from the manufacturer, a social network that sells advertising, an unknown data merchant or an obscure IP address that is not known to whom it belongs.
One danger is that those dark pre-installed apps use custom permissions (custom permissions) for expose information to apps from the Play Store. Custom permissions are a tool that Android offers to software developers so that apps share data between them. For example, if an operator or a banking service has several, it is permissible that they can talk to each other and share data. But sometimes it is not easy to find out what data some pieces of that software share.
Inside a new mobile there is for example a pre-installed app that has access to camera, contacts, microphone. That application has been programmed by a guy named Wang Sánchez and he carries a certificate with his public key and his signature. Apparently it is legitimate, but nobody checks that Wang Sanchez's certificate is real. That application is always on, pick up the location, activate the mic and keep the recordings. But it does not send it to any server because the Wang Sanchez application does not have permission to send anything over the internet. What it does do is declare a personalized permit that regulates access to these data: whoever has that permission will be able to obtain them.
One day the owner of that mobile goes to the Google Play Store and finds a great sports app. What official permits do they ask for? Only access the internet, which is perfectly common among apps. And also ask for the personalized permission of the application of Wang Sanchez. But he does not realize why these permissions are not shown to the user. Thus, the first thing that the newcomer sports app will say to the pre-installed is: "Oh, you live here? Give me access to the micro and the camera." It was apparently an app with no risk, but the complexities of the permit system mean that situations like this can happen.
The authors of these apps are one of the great mysteries of Android. The research has found a similar scenario to the low funds of the dark web: there are for example apps signed by someone who says it is "Google" and does not look like it: "The attribution to the actors has been done almost manually depending on the seller they are in, who sign them and if they have for example some chain that identifies a known library or manufacturer (for example, Ironsource or Facebook), "says Vallina. The result is that there are many that send information acceptable to manufacturers or large companies, but many others hide behind deceptive or false names.
That information is easily linked to a telephone number or data people with names and surnames, not identifying numbers that anonymize. The phone knows who its owner is. The sim and dozens of apps linked to email or accounts on social networks easily reveal the origin of the data.
Governments and industry have known this framework for years. The federal agencies of the United States request their mobiles with free operating systems of this software pre-installed and adapted to their needs. And the citizens? Let them be scared. Your data is not as secret as that of a Ministry.
"Exercising regulatory control over all possible Android versions of the market is almost unmanageable, and it would require a very extensive and expensive analysis," explains Vallina. That chaos out there allows sophisticated surveillance machines to live in our pockets.