Over-the-air (OTA) updates are a crucial part of the Android operating system. The updates are signed and applied by the operating system, but the process of checking for new updates, downloading the files and handling the user interactions is done by a preinstalled application – an OTA provider. For the operating system’s update, the OTA application cannot interfere with the contents of the update in any way making the OTA system image update secure.

However, to provide lightweight updates to preloaded applications, OTA applications are often also able to download and install specific applications. Access to these privileges makes OTA applications a potentially interesting target for abuse.

We have identified several cases in which 3rd-party OTA solutions contained code used to secretly download additional apps without user consent during the device’s lifetime. This talk covers examples of the problematic additions, the downloaded applications and the steps we have taken to combat the problem by pre-scanning system images and the future of the Android OTA ecosystem.