Bloatware is a security risk for devices running Android and Windows
Bloatware is more than an annoyance. It could be a security risk for millions of devices running everything from Android to Windows 10.
When you bought your device – whether the latest Android phone or a PC running Windows 10 – the devices also came with a raft of additional pre-installed software – often called bloatware. Researchers have determined that bloatware can be a risk – both to your privacy and also to the security of the device itself. And with both Android and Windows operating systems, getting rid of said bloatware might be the best thing for you – but can be quite an involved task to pull off.
Doors are open with Android
As an open system used by a majority of the world’s smart phone manufacturers, Android phones provide a wealth of opportunity for app developers to demonstrate their wares. They also provide a huge target for less-than-scrupulous firms to harvest a vast amount of private user data and even bring some malware into the new device. A joint research team from two American and Spanish universities did a deep dive into Android firmware from 2,748 users with 1,742 device models from 214 vendors and wrote a paper on the results — An Analysis of Pre-installed Android Software.
They found numerous instances of user tracking that went beyond the usual personal and geo-location data to include even personal email and phone call metadata, contacts, and a variety of behavioral and usage statistics. They also found a few examples of known malware and Trojans engaged in bad behavior such as ad fraud, silent app promotion, SMS fraud, and URL click fraud.
“This situation has become a peril to users’ privacy and even security due to an abuse of privilege or as a result of poor software engineering practices that introduce vulnerabilities and dangerous backdoors,” wrote the authors.
Overall, the study found that the risks are compounded by smart phone users’ ignorance over how their data can be collected and exchanged. “Users’ activities, personal data, and habits may be constantly monitored by stakeholders that many users may have never heard of, let alone consented to collect their data,” stated the authors.
That Window is open
Windows also has its issues with newly uncovered vulnerabilities in pre-installed software. SafeBreach, a California security firm, found a software installed on millions of PCs from the likes of Dell that has been pre-installed in PCs. This specific problem is with PC-Doctor Toolbox, a systems analysis software that comes already installed on computers from Dell, Staples, and Corsair.
The problem potentially would allow a hacker to exchange files loaded during a diagnostic scan with a malicious substitute. Once completed, this could allow a hacker complete control over the Windows 10-powered computers. The problem is exacerbated by computer makers giving the PC-Doctor Toolbox a high level of access to devices. PC-Doctor Toolbox stated on its website that “it would be very rare for one to have both permissions and the ability to exploit this vulnerability.”
According to Forbes’ Gordon Kelley, this is the second round of recent patches issued for PC-Doctor Toolbox and more could be on the way. He recommended removing the suspect app completely. When buying a new computer, he even recommended taking a big step and completely reinstalling Windows and wiping off unwanted software.
Supply chain and the question of bloatware control
For both Android and Windows OS-powered devices, there is a long and windy road to market. For Windows, is that the more programs allowed to be sent out in the same package with Windows, the inevitably higher chance that something can go wrong. For Android, the problems are much deeper and systemic. Overall, the study found issues in three major areas – supply chain, attribution/trust for the supplied apps, and informed user consent. That last issue is also compounded by smart phone users’ ignorance over how their data can be collected and exchanged. “Users’ activities, personal data, and habits may be constantly monitored by stakeholders that many users may have never heard of, let alone consented to collect their data,” stated the authors.
That’s much more than a technical vulnerability – it’s the business model.