Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you.

That’s the key finding of new analysis from mobile security firm Kryptowire, which details troubling bugs preloaded into 10 devices sold across the major US carriers. Kryptowire CEO Angelos Stavrou and director of research Ryan Johnson will present their research, funded by the Department of Homeland Security, at the Black Hat security conference Friday.

The potential outcomes of the vulnerabilities range in severity, from being able to lock someone out of their device to gaining surreptitious access to its microphone and other functions. They all share one common trait, though: They didn’t have to be there.

'The problem is not going to go away.' Angelos Stavrou, Kryptowire

Instead, they’re a byproduct of an open Android operating system that lets third-party companies modify code to their own liking. There’s nothing inherently wrong with that; it allows for differentiation, which gives people more choice. Google will release a vanilla version of Android Pie this fall, but it’ll eventually come in all kinds of flavors.

Those modifications lead to headaches, though, including the well-established problem of delays in shipping security updates. They can also, as Stavrou and his team have uncovered, result in firmware bugs that put users at risk.

“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error,” Stavrou says. “They’re exposing the end user to exploits that the end user is not able to respond to.”

The Black Hat talk focuses largely on devices from Asus, LG, Essential, and ZTE. That last one should pique some interest; DHS has suggested that the China-based company poses a security threat, though the agency hasn’t shared any concrete evidence to that effect.

And while DHS-funded, the Kryptowire study doesn’t provide that, either. Rather than focusing on manufacturer intent, it looks at the endemic problem of bad code pushed by participants in the broader Android ecosystem.

Take the Asus ZenFone V Live, which Kryptowire found to leave its owners exposed to an entire system takeover, including taking screenshots and video recordings of a user’s screen, making phone calls, reading and modifying text messages, and more.

“Asus is aware of the recent ZenFone security concerns raised and is working diligently and swiftly to resolve them with software updates that will be distributed over-the-air to our ZenFone users,” the company said in a statement. “Asus is committed to users’ security and privacy and we highly encourage all users to update to the latest ZenFone software to ensure a safe and secure user experience.”

At this point, pushing an update is the most Asus can do to clean up the mess it made. But Stavrou questions the efficacy of the patching process. “The user has to accept the patch. So even if they send it to the phone, you might not accept the update,” he says. He notes also that on some of the models Kryptowire tested, the update process itself was broken, a finding backed up by a recent study from German security firm Security Research Labs.

The attacks Kryptowire details do largely require the user to install an app. But while that’s normally a decent limiting factor for potential hacks—stick with the Google Play Store, folks—Stavrou says that what makes these vulnerabilities so pernicious is that those apps don’t need to have special privileges when you install them. An app wouldn’t, in other words, have to trick you into granting access to your text and call logs. It would take it, simply and silently, thanks to the device’s broken firmware.