In an open letter published yesterday, more than 50 organizations have asked Google to take action against Android smartphone vendors sending devices with non-removable pre-installed apps, also known as bloatware.

The letter, signed by 53 organizations, was addressed to Google CEO Sundar Pichai.

Signatories say that Android bloatware has a damaging effect on user privacy. They say that many bloatware apps cannot be removed and expose users to having their data collected by unscrupulous phone vendors and app makers without their knowledge or consent.

“These pre-installed apps may have privileged custom permissions that allow them to work outside of the Android security model,” the open letter reads.

“This means that permissions can be defined by the app – including access to the microphone, camera and location – without activating the standard Android security prompts. Users are therefore completely in the dark about these serious burglaries.”

The signatories cite research from March 2018 that has determined that the Android ecosystem of pre-installed apps is a privacy and security mess. According to the survey, 91% of all tested pre-installed apps were not available in the official Google Play Store.

This means that most bloatware apps do not go through the screening process of Google apps, are not checked for excessive permissions, are not checked for known security bugs or malware and cannot be updated via the Play Store mechanism with new versions to fix bugs and security errors.

The organizations that signed the open letter believe that Android users are most at risk because of “the exploitative business practices of cheap smartphone manufacturers around the world” and that “privacy cannot be a luxury only offered to people who can afford ‘to buy an expensive phone.

Coincidentally, the open letter was published the day before Malwarebytes revealed the existence of non-removable malware in two apps pre-installed on low-cost low-end smartphones sold to low-income Americans through a government-subsidized program.

Signatories want new rules for OEMs



The signatories now ask Pichai to protect the Google brand by imposing new rules for Android OEMs (official device manufacturers, also known as Android smartphone manufacturers) regarding the type of bloatware apps that they can pre-install on their respective devices.

The three rules that the group has proposed are the following:

Individuals must be able to permanently delete the apps on their phones. This should include all related background services that continue to work even if the apps are disabled.

Pre-installed apps must pass the same research as Play Store apps, especially with regard to custom permissions.

Pre-installed apps must have an update mechanism, preferably via Google Play and without a user account. Google must refuse to certify a device for privacy reasons, where manufacturers or suppliers have attempted to exploit users in this way.

The signatories to the letter include organizations ranging from privacy groups to universities and from journalistic organizations to consumer protection groups. The full list of 53 organizations that have signed the open letter is available below.

Privacy International, the driving force behind this initiative, has also set up a petition page where normal users can add their vote to this campaign and put pressure on Google to intervene.

