Android's Achilles Heel is not Google, but vendors who pack their devices chock-full of dodgy software.

That's the conclusion reached by North Carolina State University researchers led by Xuxian Jiang, who has spent some time analysing Android security.

In the latest work, co-authored with Lei Wu, Michael Grace, Yajin Zhou and Chiachih Wu, the NCSU researchers analysed ten phones from five vendors. Their top-line results are:

• More than 85 per cent of pre-loaded smartphone apps carry excessive privileges;
• Most of those overprivileged apps were vendors' own customisations; and
• Between 64 per cent and 85 per cent of the vulnerabilities the researchers discovered arose directly from vendor customisations.

The vendor phones they examined included Google's own Nexus 4 and Nexus S; Samsung's Galaxy S2 and S3; HTC's Wildfire S and One X; LG's Optimus P350 and P880; and Sony's Xperia SL and Arc S variants.

In devices released before November 2012, the Nexus S and Wildfire S led the shame-walk. In both of these devices, more than 90 percent of pre-installed apps had excessive privileges (that is, they demanded access to features that were either unnecessary to the app, or exposed the users); while in post-2012 release kit, the worst offenders were the Optimus P880 (more than 90 per cent of apps) and the Galaxy S3 (more than 87 percent).

Considering that the best performer in the entire test sample, the HTC One X, still had more than 78 per cent of pre-loaded apps claiming excessive privilege, there's hardly any reason for any vendor to laugh-and-point at the worst offenders.

The One X had the best vulnerability performance, at just 1.79 per cent of pre-loaded apps, while the Wildfire S was the worst at 14.97 per cent of apps.

The researchers also noted that the number of vulnerabilities on devices had no correlation to the number of apps or the size of pre-loaded code on them: “both Sony devices perform very well, despite having a very large number of apps, while the LG devices do poorly on security even though they have the fewest apps of any non-reference device”, they write. ®

Related stories

• Samsung, Oppo collared in smartphone bloatware probe (5 July 2015)

  https://www.theregister.com/2015/07/05/china_bloatware_lawsuits_samsung_oppo/

• Insecure AVG search tool shoved down users' throats, says US CERT (8 July 2014)

  https://www.theregister.com/2014/07/08/download_wrappers_spruiked_vulnerable_avg_tool_cert_us_warns/

• We've invented the FONBLET, says Samsung (7 November 2013)

  https://www.theregister.com/2013/11/07/weve_invented_the_fonblet_says_samsung/

• Google's MYSTERY barges floating off US shores: The TRUTH (6 November 2013)

  https://www.theregister.com/2013/11/06/google_clears_up_barge_mystery_sort_of/

• Google's Nexus 5: Best smartphone bang for your buck. There, we said it (6 November 2013)

  https://www.theregister.com/2013/11/06/nexus_5_best_smartphone_bang_for_your_buck/

• Crypto protocols mostly crocked says euro infosec think-tank ENISA (31 October 2013)

  https://www.theregister.com/2013/10/31/most_security_protocols_insecure_suggests_enisa/

• Android's defences against malicious apps dissed by security bods (21 October 2013)

  https://www.theregister.com/2013/10/21/android_ios_security_comparison/

• Android security relies on ZOMBIE CRYPTO, argues infosec pundit (16 October 2013)

  https://www.theregister.com/2013/10/16/zombie_cipher_list_gives_android_weak_encryption/

• Android adware that MUST NOT BE NAMED threatens MILLIONS (8 October 2013)

  https://www.theregister.com/2013/10/08/android_ad_peril/