The red alert discovery, although not surprisingly: Kryptowire security researchers published the 2019 edition on the status of pre-installed software on Android devices and have identified over 145 bugs which can be exploited for malicious purposes.
In short, the apps preinstalled by manufacturers on smartphones, which in some cases in suite packages bundled with devices also reach hundreds, are full of bugs of all kinds and put the user and his data to risk. The vulnerabilities can lead to any kind of compromise: from the installation of unauthorized apps, to the modification of the permissions, through the exfiltration of information and the unauthorized use of the microphone.
The Kryptowire survey identified these vulnerabilities on the phones of 29 different manufacturers, among which there are numerous low-end market-oriented realities (such as Cubot, Dogee and Elephone, among others) but also realities such as Asus, Samsung or Sony. Samsung issued an official note stating that after being warned by Kryptowire it investigated the situation and determined that the vulnerabilities are harmless as they are already mitigated by appropriate countermeasures.
"We wanted to understand how simple it was for someone to be able to penetrate the device without the user downloading any applications. If the problem lies in the device, it means that the user has no options. Since the code is deeply integrated into the system, in most in some cases the user cannot do anything to remove the compromised function or app, "explained the CEO of Kryptowire Angelos Stavrou.