Download the entire paper at haystack.mobi

“Certified or not, not all pre-installed software is deemed as wanted by users, and the term “bloatware” is often applied to such software. The process of how a particular set of apps end up packaged together in the firmware of a device is not transparent, and various isolated cases reported over the last few years suggest that it lacks end-to-end control mechanisms to guarantee that shipped firmware is free from vulnerabilities or potentially malicious and unwanted apps.”

“The openness of the Android source code makes it possible for any manufacturer to ship a custom version of the OS along with proprietary pre-installed apps on the system partition. Most handset vendors take this opportunity to add value to their products as a market differentiator, typically through partnerships with Mobile Network Operators (MNOs), online social networks, and content providers. Google does not forbid this behavior, and it has developed its Android Compatibility Program to set the requirements that the modified OS must fulfill in order to remain compatible with standard Android apps, regardless of the modifications made to the underlying OS.”

“In this paper, we seek to shed light on the presence and behavior of pre-installed software across Android devices. In particular, we aim to answer the questions below:
• What is the ecosystem of pre-installed apps, including all actors in the supply chain?
• What are the relationships between vendors and other stakeholders (e.g., MNOs and third-party services)?
• Do pre-installed apps collect private and personally identifiable information (PII)? If so, with whom do they
share it?
• Are there any harmful or other potentially dangerous apps among pre-installed software?”