Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 2 days 12 hours ago

Toyota Security Breach Exposes Personal Info of 3.1 Million Clients

Fri, 03/29/2019 - 13:30
An anonymous reader quotes a report from BleepingComputer: The personal information of roughly 3.1 million Toyota customers may have been leaked following a security breach of multiple Toyota and Lexus sales subsidiaries, as detailed in a breach notification issued by the car maker today. As detailed in a press release published on Toyota'a global newsroom, unauthorized access was detected on the computing systems of Tokyo Sales Holdings, Tokyo Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Nets Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla. "It turned out that up to 3.1 million items of customer information may have been leaked outside the company. The information that may have been leaked this time does not include information on credit cards," says the data breach notification. Toyota has not yet confirmed if the attackers were able to exfiltrate any of the customer personal information exposed after the IT systems of its subsidiaries were breached. Toyota said in a statement: "We apologize to everyone who has been using Toyota and Lexus vehicles for the great concern. We take this situation seriously, and will thoroughly implement information security measures at dealers and the entire Toyota Group."

Critical Magento SQL Injection Flaw Could Soon Be Targeted By Hackers

Fri, 03/29/2019 - 12:50
itwbennett writes: The popular e-commerce platform Magento has released 37 security issues affecting both the commercial and open-source versions, four of which are critical. 'Of those, one SQL injection flaw is of particular concern for researchers because it can be exploited without authentication,' writes Lucian Constantine for CSO. Researchers from Web security firm Sucuri 'have already reverse-engineered the patch [for that flaw] and created a working proof-of-concept exploit for internal testing' says Constantin. 'The SQL vulnerability is very easy to exploit, and we encourage every Magento site owner to update to these recently patched versions to protect their ecommerce websites,' the researchers warn in a blog post.

Paywalls Block Scientific Progress. Research Should Be Open To Everyone

Fri, 03/29/2019 - 12:10
An anonymous reader shares a report: Academic and scientific research needs to be accessible to all. The world's most pressing problems like clean water or food security deserve to have as many people as possible solving their complexities. Yet our current academic research system has no interest in harnessing our collective intelligence. Scientific progress is currently thwarted by one thing: paywalls. Paywalls, which restrict access to content without a paid subscription, represent a common practice used by academic publishers to block access to scientific research for those who have not paid. This keeps $25.5bn flowing from higher education and science into for-profit publisher bank accounts. My recent documentary, Paywall: The Business of Scholarship, uncovered that the largest academic publisher, Elsevier, regularly has a profit margin between 35-40%, which is greater than Google's. With financial capacity comes power, lobbyists, and the ability to manipulate markets for strategic advantages â" things that underfunded universities and libraries in poorer countries do not have. Furthermore, university librarians are regularly required to sign non-disclosure agreements on their contract-pricing specifics with the largest for-profit publishers. Each contract is tailored specifically to that university based upon a variety of factors: history, endowment, current enrolment. This thwarts any collective discussion around price structures, and gives publishers all the power.

Google: Play Protect Cut Harmful Android App Installs by 20% in 2018

Fri, 03/29/2019 - 10:50
Speaking of the state of Android apps' security, Google today published its annual Android Security & Privacy Year in Review, a comprehensive report that details the company's ongoing efforts to keep over two billion devices running Android mobile operating system secure. From a report: Google says that Google Play Protect, Android's AI-driven built-in defense mechanism, substantially cut down on the number of Potentially Harmful Applications (PHAs) in Google Play. Last year, only 0.08 percent of devices that used Google Play exclusively for app downloads were affected by PHAs, and even devices that installed apps from outside of Play -- 0.68 percent of which were affected by one or more PHAs, down from 0.80 percent in 2017 -- saw a 15 percent reduction in malware. In fact, Play Protect prevented 1.6 billion PHA installation attempts from outside of Google Play in 2018, Google says [PDF]. Installation attempts outside of Google Play fell by 20 percent from the previous year, and 73 percent of PHA installations were successfully stopped compared to 71 percent in 2017 and 59 percent in 2016. In all, 0.45 percent of Android devices running Play Protect installed PHAs in 2018 compared with 0.56 percent of devices in 2017, equating to a 20 percent year-over-year improvement.

Researchers Discover and Abuse New Undocumented Feature in Intel Chipsets

Fri, 03/29/2019 - 08:58
At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

Researchers Find Google Play Store Apps Were Actually Government Malware

Fri, 03/29/2019 - 06:50
Security researchers have found a new kind of government malware that was hiding in plain sight within apps on Android's Play Store. And they appear to have uncovered a case of lawful intercept gone wrong. An anonymous reader writes: This new case once again highlights the limits of Google's filters that are intended to prevent malware from slipping onto the Play Store. In this case, more than 20 malicious apps went unnoticed by Google over the course of roughly two years. Motherboard has also learned of a new kind of Android malware on the Google Play store that was sold to the Italian government by a company that sells surveillance cameras but was not known to produce malware until now. Experts told Motherboard the operation may have ensnared innocent victims as the spyware appears to have been faulty and poorly targeted. Legal and law enforcement experts told Motherboard the spyware could be illegal. The spyware apps were discovered and studied in a joint investigation by researchers from Security Without Borders, a non-profit that often investigates threats against dissidents and human rights defenders, and Motherboard. The researchers published a detailed, technical report of their findings on Friday.

Security Researcher Pleads Guilty To Hacking Into Microsoft and Nintendo

Thu, 03/28/2019 - 17:30
24-year-old security researcher Zammis Clark pleaded guilty today to hacking into Microsoft and Nintendo servers and stealing confidential information. Clark, known online as Slipstream or Raylee, "was charged on multiple counts of computer misuse offenses in a London Crown Court on Thursday, and pleaded guilty to hacking into Microsoft and Nintendo networks," reports The Verge. From the report: Prosecutors revealed that Clark had gained access to a Microsoft server on January 24th, 2017 using an internal username and password, and then uploaded a web shell to remotely access Microsoft's network freely for at least three weeks. Clark then uploaded multiple shells which allowed him to search through Microsoft's network, upload files, and download data. In total, around 43,000 files were stolen after Clark targeted Microsoft's internal Windows flighting servers. These servers contain confidential copies of pre-release versions of Windows, and are used to distribute early beta code to developers working on Windows. Clark targeted unique build numbers to gain information on pre-release versions of Windows in around 7,500 searches for unreleased products, codenames, and build numbers. Clark then shared access to Microsoft's servers through an Internet Relay Chat (IRC) server chatroom, allowing other individuals to access and steal confidential information. Prosecutors say other hackers from France, Germany, the United Arab Emirates, and other countries were then able to access Microsoft's servers. Police found the stolen files on Clark's home computer after a joint investigation involving Microsoft's cyber team, the FBI, EUROPOL, and the NCA's National Cyber Crime Unit (NCCU). [...] The Microsoft intrusion ended when Clark uploaded malware onto Microsoft's network, and he was subsequently arrested in June, 2017. Clark was then bailed without any restrictions on his computer use, and went on to hack into Nintendo's internal network in March last year. Clark gained access through Virtual Private Networks (VPNs) and used similar software to hack into Nintendo's highly confidential game development servers. These servers store development code for unreleased games, and Clark was able to steal 2,365 usernames and passwords until Nintendo eventually discovered the breach in May 2018. Nintendo estimates the cost of damages between $913,000 and $1.8 million, and Microsoft previously provided the court with a vague estimate of around $2 million in damages. 26-year-old Thomas Hounsell, known in the Windows community for running the now discontinued BuildFeed website, appeared alongside Clark in court on Thursday for using Clark's Microsoft server breach to conduct more than 1,000 searches for products, codenames, and build numbers over a 17-day period, the report adds.

Russia Orders Major VPN Providers To Block 'Banned' Sites

Thu, 03/28/2019 - 16:50
Russian authorities have ordered ten major VPN providers to begin blocking sites on the country's blacklist. "NordVPN, ExpressVPN, IPVanish and HideMyAss are among those affected," reports TorrentFreak. "TorGuard also received a notification and has pulled its services out of Russia with immediate effect." From the report: During the past few days, telecoms watch Roscomnadzor says it sent compliance notifications to 10 major VPN services with servers inside Russia -- NordVPN, ExpressVPN, TorGuard, IPVanish, VPN Unlimited, VyprVPN, Kaspersky Secure Connection, HideMyAss!, Hola VPN, and OpenVPN. The government agency is demanding that the affected services begin interfacing with the FGIS database, blocking the sites listed within. Several other local companies -- search giant Yandex, Sputnik, Mail.ru, and Rambler -- are already connected to the database and filtering as required. "In accordance with paragraph 5 of Article 15.8 of the Federal Law No. 149-FZ of 27.07.2006 'On Information, Information Technology and on Protection of Information' hereby we are informing you about the necessity to get connected to the Federal state informational system of the blocked information sources and networks [FGIS] within thirty working days from the receipt [of this notice]," the notice reads. A notice received by TorGuard reveals that the provider was indeed given just under a month to comply. The notice also details the consequences for not doing so, i.e being placed on the blacklist with the rest of the banned sites so it cannot operate in Russia. The demand from Roscomnadzor sent to TorGuard and the other companies also requires that they hand over information to the authorities, including details of their operators and places of business. The notice itself states that for foreign entities, Russian authorities require the full entity name, country of residence, tax number and/or trade register number, postal and email address details, plus other information.

Researchers Find 36 New Security Flaws In LTE Protocol

Thu, 03/28/2019 - 13:30
An anonymous reader quotes a report from ZDNet: A group of academics from South Korea have identified 36 new vulnerabilities in the Long-Term Evolution (LTE) standard used by thousands of mobile networks and hundreds of millions of users across the world. The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic. They were discovered by a four-person research team from the Korea Advanced Institute of Science and Technology Constitution (KAIST), and documented in a research paper they intend to present at the IEEE Symposium on Security and Privacy in late May 2019. The Korean researchers said they found 51 LTE vulnerabilities, of which 36 are new, and 15 have been first identified by other research groups in the past. They discovered this sheer number of flaws by using a technique known as fuzzing --a code testing method that inputs a large quantity of random data into an application and analyzes the output for abnormalities, which, in turn, give developers a hint about the presence of possible bugs. The resulting vulnerabilities, see image below or this Google Docs sheet, were located in both the design and implementation of the LTE standard among the different carriers and device vendors. The KAIST team said it notified both the 3GPP (industry body behind LTE standard) and the GSMA (industry body that represents mobile operators), but also the corresponding baseband chipset vendors and network equipment vendors on whose hardware they performed the LTEFuzz tests.

Zuckerberg is Sitting on More Data About What People Want To Do Online Than Anyone Else in the World, Former Facebook Chief Security Officer Says

Thu, 03/28/2019 - 12:50
Former Facebook executive Alex Stamos explained how Facebook's Mark Zuckerberg is able to consistently make decisions that only make sense with the benefit of hindsight. From a report: "Mark Zuckerberg is sitting on more data about what people want to do online than anyone else in the world," said Stamos, who was speaking at the Washington Post's technology and policy conference on Wednesday evening. He cited the acquisitions of private messaging WhatsApp in 2014 for $19 billion, and photo-sharing service Instagram in 2012 for $1 billion, as examples of bets "that people think are insane but turn out to be prophetic because he knows the direction the world is going," Stamos said. Further reading: Facebook Used Its VPN App To Track Competitors, Documents Reveal.

Huawei's Equipment Poses 'Significant' Security Risks, UK Says

Thu, 03/28/2019 - 08:10
The U.K. government warned on Thursday Huawei's telecommunications equipment raises "significant" security issues, posing a possible setback to the Chinese tech firm as it looks to build out 5G networks. From a report: In 46-page report evaluating Huawei's security risks, British officials stopped short of calling for a ban of Huawei's 5G telecommunications equipment. But the assessment cited "underlying defects" in the company's software engineering and cybersecurity processes, citing "significantly increased risk to U.K. operators." The findings give weight to warnings from U.S. officials who have argued Huawei's networking equipment could be used for espionage by the Chinese government. Huawei has repeatedly said it does not pose any risk and insists it would not share customer data with Beijing. In a statement Thursday, Huawei said it takes the U.K. government's findings "very seriously."

Office Depot and Support.com To Pay $35 Million To Settle FTC Allegations That They Charged Users Millions in 'Fake' Malware Cleanup Fees

Thu, 03/28/2019 - 06:50
Office Depot and Support.com have coughed up $35 million after they were accused of lying to people that their PCs were infected with malware in order to charge them cleanup fees. From a report: Late Wednesday, the pair of businesses settled a lawsuit brought against them by the US Federal Trade Commission, which alleged staff at the tech duo falsely claimed software nasties were lingering on customers' computers to make a fast buck. The lawsuit, filed in southern Florida, claimed the two companies, including Office Depot subsidiary OfficeMax, from 2009 until November 2016 misrepresented the state of consumers' computers by using a sales tool designed to convince people to pay for diagnostic and repair services. "In numerous instances throughout this time period, Defendants used the PC Health Check Program to report to Office Depot Companies customers that the scan had found or identified 'Malware Symptoms' when it had not done so," the complaint stated. "Additionally, in numerous instances, the PC Health Check Program falsely reported to consumers that the program had found 'infections' on the consumer's computer." According to the watchdog's complaint, the PC Health Check Program was incapable of finding malware. Support.com allegedly programmed the software so that whenever an Office Depot Company employee checked any one of four checkboxes describing a generic concern, like slowness, before the scan started, the scan would automatically report the detection of malware symptoms, and for a time, infections.

French Gas Stations Robbed After Forgetting To Change Gas Pump PINs

Wed, 03/27/2019 - 19:30
An anonymous reader quotes a report from ZDNet: French authorities have arrested five men who stole over 120,000 liters (26,400 gallons) of fuel from gas stations around Paris by unlocking gas pumps using a special remote. The five-man team operated with the help of a special remote they bought online and which could unlock a particular brand of gas pumps installed at Total gas stations. The hack was possible because some gas station managers didn't change the gas pump's default lock code from the standard 0000. Hackers would use this simple PIN code to reset fuel prices and remove any fill-up limits. Crooks would operate in small teams of two to three individuals who visited gas stations at night using two vehicles. A man in a first car would use the remote to unlock the gas station, and then a second car, usually a van, would come along seconds later to fill a giant tanker installed in the back of the vehicle with as much as 2,000 or 3,000 liters in one go. The group advertised the fuel they stole on social media, providing a time and place where customers could come and refuel their vehicles or pick up orders for gasoline and diesel at smaller prices. Police uncovered the scheme in April 2018, when they arrested a suspect in possession of a remote used in the hack. "Five men, part of the same gang, were arrested on Monday, according to Le Parisien, who first reported the scheme last November," the report adds.

Microsoft Takes Control of 99 Domains Operated By Iranian State Hackers

Wed, 03/27/2019 - 16:10
An anonymous reader quotes a report from ZDNet: Court documents unsealed today revealed that Microsoft has been waging a secret battle against a group of Iranian government-sponsored hackers. The OS maker sued and won a restraining order that allowed it to take control of 99 web domains that had been previously owned and operated by a group of Iranian hackers known in cyber-security circles as APT35, Phosphorus, Charming Kitten, and the Ajax Security Team. The domains had been used as part of spear-phishing campaigns aimed at users in the US and across the world. APT35 hackers had registered these domains to incorporate the names of well-known brands, such as Microsoft, Yahoo, and others. The domains were then used to collect login credentials for users the group had tricked into accessing their sites. The tactic is decades old but is still extremely successful at tricking users into unwittingly disclosing usernames and passwords, even today. Some of the domains Microsoft has confiscated include the likes of outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net. Microsoft said it received substantial support from the domain registrars, which transferred the domains over to Microsoft as soon as the company obtained a court order.

Senators Demand To Know Why Election Vendors Still Sell Voting Machines With 'Known Vulnerabilities'

Wed, 03/27/2019 - 13:30
An anonymous reader quotes a report from TechCrunch: Four senior senators have called on the largest U.S. voting machine makers to explain why they continue to sell devices with "known vulnerabilities," ahead of upcoming critical elections. The letter, sent Wednesday, calls on election equipment makers ES&S, Dominion Voting and Hart InterCivic to explain why they continue to sell decades-old machines, which the senators say contain security flaws that could undermine the results of elections if exploited. "The integrity of our elections is directly tied to the machines we vote on," said the letter sent by Sens. Amy Klobuchar (D-MN), Mark Warner (D-VA), Jack Reed (D-RI) and Gary Peters (D-MI), the most senior Democrats on the Rules, Intelligence, Armed Services and Homeland Security committees, respectively. "Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price," the letter adds. Their primary concern is that the three companies have more than 90 percent of the U.S. election equipment market share but their voting machines lack paper ballots or auditability, making it impossible to know if a vote was accurately counted in the event of a bug. Yet, these are the same devices tens of millions of voters will use in the upcoming 2020 presidential election. ES&S spokesperson Katina Granger said it will respond to the letter it received. The ranking Democrats say paper ballots are "basic necessities" for a reliable voting system, but the companies still produce machines that don't produce paper results.

FTC Fines Four Operations Responsible For Billions of Illegal Robocalls

Wed, 03/27/2019 - 11:36
Four companies that made billions of illegal robocalls have been caught and fined. From a report: The Federal Trade Commission on Tuesday said the agency reached settlements with four operations responsible for billions of illegal robocalls pitching debt-relief services, home security systems, fake charities, auto warranties and Google search results services. The companies were charged with violating the FTC Act, as well as the agency's Telemarketing Sales Rule and its Do Not Call provisions. "We have brought dozens of cases targeting illegal robocalls, and fighting unwanted calls remains one of our highest priorities," said Andrew Smith, director of the Bureau of Consumer Protection at the FTC, in a release. "We also have great advice on call-blocking services and how to reduce unwanted calls at [our website.]" The settlements come as the agency focuses on combating illegal robocalls. The four companies, NetDotSolutions, Higher Goals Marketing, Veterans of America and Pointbreak Media, are banned by court orders from robocalling and most telemarketing activities, according to the FTC's release. Further reading: FTC Tells ISPs To Disclose Exactly What Information They Collect On Users and What It's For.

Microsoft: Windows 10 Devices Open To 'Full Compromise' From Huawei PC Driver

Tue, 03/26/2019 - 17:00
According to ZDNet, researchers at Microsoft have discovered a buggy Huawei utility that could have given attackers a cheap way to undermine the security of the Windows kernel. From the report: Microsoft has now detailed how it found a severe local privilege escalation flaw in the Huawei PCManager driver software for its MateBook line of Windows 10 laptops. Thanks to Microsoft's work, the Chinese tech giant patched the flaw in January. As Microsoft researchers explain, third-party kernel drivers are becoming more attractive to attackers as a side-door to attacking the kernel without having to overcome its protections using an expensive zero-day kernel exploit in Windows. The flaw in Huawei's software was detected by new kernel sensors that were implemented in the Windows 10 October 2018 Update, aka version 1809. The kernel sensors are meant to address the difficulty of detecting malicious code running in the kernel and are designed to detect user-space asynchronous procedure call (APC) code injection from the kernel. Microsoft Defender ATP anti-malware uses these sensors to detect actions caused by kernel code that may inject code into user-mode. Huawei's PCManager triggered Defender ATP alerts on multiple Windows 10 devices, prompting Microsoft to launch an investigation. [...] The investigation led the researcher to the executable MateBookService.exe. Due to a flaw in Huawei's 'watchdog' mechanism for HwOs2Ec10x64.sys, an attacker is able to create a malicious instance of MateBookService.exe to gain elevated privileges. The flaw can be used to make code running with low privileges read and write to other processes or to kernel space, leading to a "full machine compromise." Long-time Slashdot reader shanen writes: Though the story features Huawei, there doesn't seem to be anything specific to that company there. Just innuendo that you can't trust Chinese companies, eh? "Don't throw your computer into that Chinese briar patch!" Anyway, the sordid reality is that Microsoft is the root of all evils in the Windows platform. If increasing security had been half as important as maximizing profits, then we'd be in a much better world today. All complicated software is buggy, but adding complexity for no good reason is just begging for more problems. Here's a crazy solution approach: Any OS feature that isn't used by a LARGE majority of the users should be REMOVED from the OS. Maybe that isn't strong enough. Maybe the OS should be strictly limited to what absolutely needs to be there. Guard those eggs carefully!

ASUS Releases Fix For ShadowHammer Malware Attack

Tue, 03/26/2019 - 13:30
Iwastheone shares a report from Engadget: ASUS may have inadvertently pushed malware to some of its computers through its update tool, but it at least it has a fix ready to go. The PC maker has released a new version of its Live Update software for laptops that addresses the ShadowHammer backdoor attack. It also promised "multiple security verification mechanisms" to reduce the chances of further attacks, and started using an "enhanced end-to-end encryption mechanism." There are upgrades to the behind-the-scenes server system to prevent future attacks, ASUS added. The company simultaneously reiterated the narrow scope of ShadowHammer, noting that the malware targeted a "very small and specific user group." It's believed to be an Advanced Persistent Threat -- that is, a state-backed assault against organizations rather than everyday users. Other ASUS devices weren't affected, according to a notice. While the fix is reassuring, it also raises questions as to why the systems weren't locked down earlier. Update tools are prime targets for hackers precisely because they're both trusted and have deep access to the operating system -- tight security is necessary to prevent an intruder from hijacking the process.

Gmail App Changes Will Cause Most IFTTT Features To Stop Working

Mon, 03/25/2019 - 16:45
Almost all of Gmail's IFTTT routines and actions will stop working at the end of the month as Google alters the Gmail API to make it more secure. The only functionality of IFTTT-Gmail integration will be sending yourself an email and sending an email to someone else. TechSpot reports: The roots of this problem reach back to a breathless report in the Wall Street Journal in the summer of 2018 that claimed Gmail app developers have been reading your email. What it actually meant was that Gmail's OAuth account access was too simple -- if you allowed an application to access to Gmail, it had access to all of it. Even apps that didn't need the full text of emails for their intended function would have access to that after you signed in. Google began tightening access to Gmail content for third-party apps, and that's where IFTTT comes in. As of March 31, Google is placing new restrictions on Gmail apps. Apps can no longer read, create, or modify message bodies. None of IFTTT's seven Gmail triggers will work anymore after the new API rules go into effect. In conversations with Google, IFTTT was able to keep two of the Gmail actions: sending yourself an email and sending an email to someone else. However, the trigger needs to be from another service. You can log into your IFTTT account to see which of your Applets are affected by the change. The new API rules only affect Gmail. Other G Suite services like Google Drive and Assistant will remain operating normally.

Android Users' Security and Privacy At Risk From Shadowy Ecosystem of Pre-Installed Software, Study Warns

Mon, 03/25/2019 - 14:20
Researchers behind a large-scale independent study of pre-installed Android apps "unearthed a complex ecosystem of players with a primary focus on advertising and 'data-driven services' -- which they argue the average Android user is likely to be unaware of (while also likely lacking the ability to uninstall/evade the baked in software's privileged access to data and resources themselves)," reports TechCrunch. From the report: The study, which was carried out by researchers at the Universidad Carlos III de Madrid (UC3M) and the IMDEA Networks Institute, in collaboration with the International Computer Science Institute (ICSI) at Berkeley (USA) and Stony Brook University of New York (US), encompassed more than 82,000 pre-installed Android apps across more than 1,700 devices manufactured by 214 brands, according to the IMDEA institute. "The study shows, on the one hand, that the permission model on the Android operating system and its apps allow a large number of actors to track and obtain personal user information," it writes. "At the same time, it reveals that the end user is not aware of these actors in the Android terminals or of the implications that this practice could have on their privacy. Furthermore, the presence of this privileged software in the system makes it difficult to eliminate it if one is not an expert user." In all 1,200 developers were identified behind the pre-installed software they found in the data-set they examined, as well as more than 11,000 third party libraries (SDKs). Many of the preloaded apps were found to display what the researchers dub potentially dangerous or undesired behavior. The data-set underpinning their analysis was collected via crowd-sourcing methods -- using a purpose-built app (called Firmware Scanner), and pulling data from the Lumen Privacy Monitor app. The latter provided the researchers with visibility on mobile traffic flow -- via anonymized network flow metadata obtained from its users. They also crawled the Google Play Store to compare their findings on pre-installed apps with publicly available apps -- and found that just 9% of the package names in their dataset were publicly indexed on Play. Another concerning finding relates to permissions. In addition to standard permissions defined in Android (i.e. which can be controlled by the user) the researchers say they identified more than 4,845 owner or "personalized" permissions by different actors in the manufacture and distribution of devices. So that means they found systematic user permissions workarounds being enabled by scores of commercial deals cut in a non-transparency data-driven background Android software ecosystem. The researchers address the lack of transparency and accountability in the Android ecosystem by suggesting the introduction and use of certificates signed by globally-trusted certificate authorities, or a certificate transparency repository "dedicated to providing details and attribution for certificates used to sign various Android apps, including pre-installed apps, even if self-signed." They also suggest Android devices should be required to document all pre-installed apps, plus their purpose, and name the entity responsible for each piece of software -- and do so in a manner that is "accessible and understandable to users."