Appolicious powers Verizon Educational Tools

Pre-installed Android software poses massive security risk

by Kristen Nicole

Android’s seen its share of privacy issues and data safety concerns, and while frequent malware attacks on the platform have spurned an entire industry, every week seems to bring news of even more dire straits for the Android camp. Carrier IQ is the latest to come under fire, after Android security researcher Trevor Eckhart showed how the mobile device tracker logs each keystroke, sending the data to unknown locations. Carrier IQ’s software is used by carriers and companies to obtain information on end user behavior, with the intent of improving the customer experience and to better understand device issues. But Eckhart’s exposé, which includes a detailed 17-minute video, has shed new light on the methods behind Carrier IQ, leaving many to wonder the true objectives behind software that’s sending private data to unverified places.

Things got ugly when Eckhart called Carrier IQ’s software a “rootkit” because of its ability to access device data while concealing its presence. This isn’t an app you download from the Market, but software pre-installed in your device. Carrier IQ sent Eckhart a cease-and-desist letter, demanding an apology for calling the software a rootkit, but later sent out an apology of their own after the Electronic Frontier Foundation deemed Eckhart’s comments and research as protected under the Copyright Act’s fair use provision. But while Eckhart’s stuck in a song and dance routine with Carrier IQ, consumers are still wondering why their Android phones have software that logs keystrokes, phone numbers, and even SMS content.

Pre-installed apps are security risks

Another team of researchers at North Carolina State University have given consumers even more reason to worry, having uncovered a number of vulnerabilities in the standard configurations of popular Android devices from the likes of Motorola, HTC and even Samsung. In a paper published by Michael Grace, Yajin Zhou, Zhi Want and Xuxian Jiang, the team demonstrates how these vulnerabilities could be used by an untrusted app to send SMS messages, record conversations or wipe all user data from the handset without needing user permission.

The HTC Legend, EVO 4G and Wildfire S were just some of the devices tested by the NC University team, unveiling a slew of new security leaks, even from pre-loaded applications that not only come standard on many Android handsets, but can’t be easily uninstalled.

Between Eckhart’s report and the paper from NC University, it appears our Android phones come full of security holes right out the box. What will Google do about its OEM partners that are sending out devices with such high potential for attackers, made especially attractive because of their massive install base?