Skip to content
Naked Security Naked Security

Study finds Android smartphones riddled with suspect ‘bloatware’

According to a new study, Android bloatware can create hidden security and privacy risks.

One of the oft-discussed downsides of choosing an Android device is the phenomenon of pre-loaded “bloatware.”

Broadly speaking, these are apps and services pre-loaded on smartphones and tablets by phone vendors, mobile carriers, and their partners along with the basic suite of Google apps and Android itself.

Not all of this software is necessarily useless, and some vendors load less than others, but often it can’t be uninstalled, leaving users stuck with space-consuming software they might never use.

Worse still, according to a new study by researchers at the Universidad Carlos III de Madrid in Spain and Stony Brook University in the US, which analysed crowdsourced data from 1,742 devices made by 214 vendors, bloatware can also create hidden security and privacy risks.

Their first discovery was the sheer amount and mysterious origins of the software shipping on Android devices, which totalled 424,584 firmware files, only 9% of which corresponded to app APKs found on Google Play.

That amounted to around 140,000 apps, built using 11,665 different third-party software libraries (TPLs), and 1,200 developers closely associated with smartphone makers.

What does all this software do?

Mostly social networking, advertising, and analytics, which included extensive tracking of users for commercial purposes, the researchers found.

A lot of it was obscure long-tail stuff but plenty of big brands appeared regularly, such as Spotify, Facebook, TripAdvisor, and AccuWeather.

Activities ranged from gathering location data to more invasive cases that resulted in the collection of phone call metadata, contacts and, of course, valuable behavioural data.

The analysis covered 144 countries, with the team also spotting a small number of known malicious apps.

Our results reveal that a significant part of the pre-installed software exhibit potentially harmful or unwanted behavior.

Android users understand that phone makers need to make a profit from the device. What’s less well understood is that the data users generate while using the device is also lucrative when scaled across millions of people. It’s not easy for Android users to fathom for themselves:

Overall, the supply chain around Android’s open source model lacks transparency and has facilitated potentially harmful behaviors and backdoored access to sensitive data and services without user consent or awareness.

And the sheer volume of pre-installed apps and privileges afforded to them increased the chances that some suffered from software flaws that might be exploited maliciously by third parties.

The researchers suggest reforms, including that phone makers be required to list the installed software, stating its developer and purpose and any data collection it is engaged in.

They also suggest reforming user consent – although that might not be easy to put into practice on a device with a dozen or more of these pre-installed apps, each one of which might require a separate agreement.

Perhaps, then, it would just be easier to allow users to uninstall all non-integral apps. This wouldn’t solve the bloatware problem (not all users would bother) but would at least give users some say in the matter.

Right now, buying an Android smartphone is like holding a party for a large number of guests you’ve never met and perhaps shouldn’t trust.

Listen to the podcast

In episode 26 of the Naked Security podcast, we looked into the annoying problem of bloatware on Android phones [01’54”]


(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)


Wonder how much profit for vendors and carriers is in the bloatware – and whether it’s a fixed amount or pay-per-tap? As there are apps that collect and transmit data even when not used I assume a combination. So what should the price be without the bloatware? Perhaps most users wouldn’t bother but why is there not an option to get a bloat-/ad-/trackware-free device for a certain surcharge?
BTW: Not sure if I should read “discused” as “disc-used” or as verbified “discus”


The more I read, the more I realize that we are headed in the direction that sci-fi writers have posed for decades now. Not only is Big Brother watching, but big Corporations own us! See what happens when you use Google Maps. They know where you went and then they send you a questionnaire asking you to rate the place that you had been too. I’m 70 years old, and I’ve seen many changes in my life. it’s sad that the young people that are growing up now will just be so used to all of this that they won’t care one way or the other. Again, I’ll mention the Sci-Fi books and movies that portray these very issues, and it looks like that’s the direction we’re headed whether there are laws enacted or not.


The ability to remove bloatware should be the first change. I can only add a couple of apps to my tablet because Google/Samsung insist on having tons of non-removal apps loaded on the internal memory. To make matters worse, even when I move an app to external memory as soon as the app is updated it returns to the internal memory and I get to start the process all over again on What’s eating Gilbert Grapes memory.


So fed up with Android bloatware and non updating, that I have moved to a 4G “feature phone” – I can still make calls and send messages!
I think I will get all other functionality by tethering my tablet only when required.


The day when I actually think we should spread the kindle model of “with ads removed” versions at a lower price is here.



Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!