On the security of pre-installed Android apps in low-cost devices

Pre-installed system and vendor applications on low-cost Android devices can run with elevated privileges yet receive little independent scrutiny. In this work, we present PiPLAnD, a pipeline that extracts APKs from physical devices and applies static analysis to detect sensitive-data leaks, manifest misconfigurations, and suspicious behaviors in pre-installed apps. Using PiPLAnD, we analyzed 1544 pre-installed APKs collected from seven devices (Infinix, itel, Tecno). Our findings show that 145 apps (9%) leak sensitive information, 249 apps (16%) export sensitive components without adequate protection, and numerous apps exhibit risky behaviors (226 execute dangerous commands, 79 access/send/delete SMS, 33 perform silent installation actions). We also identified a vendor-shipped package that appears to exfiltrate device identifiers and location to a third-party vendor. These results indicate that pre-installed software on widely distributed, low-cost devices can pose real privacy and security risks to end users.