When you buy an Android smartphone, it’s rarely pure Android. Manufacturers squeeze in their own apps or give it a fresh coat of interface. Carriers do it too. The resulting stew of preinstalled software and vanilla Android sometimes turns out to be rancid, putting flaws and vulnerabilities on the phone before you even take it out of the box. For proof of how bad it is, look no further than the 146 vulnerabilities—across 29 Android smartphone makers—that have just been simultaneously revealed.

Yes, that’s 146, all discovered by security firm Kryptowire and detailed one by one in a new gargantuan disclosure. Most of the implicated companies operate primarily in Asia, but the list includes global heavyweights like Samsung and Asus as well. While the bugs vary in severity and scope—and in some cases, the manufacturers dispute that they’re a threat at all—they illustrate an endemic problem for Android, one that Google has acknowledged.

The vulnerabilities Kryptowire turned up, in research funded by the Department of Homeland Security, encompass everything from unauthorized audio recording to command execution to the ability to modify system properties and wireless settings. What makes them so pernicious, though, is how they get on phones, and how hard they are to remove.

“We wanted to understand how easy it is for someone to be able to penetrate the device without the user downloading an application,” says Kryptowire CEO Angelos Stavrou. “If the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases the user cannot do anything to remove the offending functionality.”

It’s one thing if you fall for a shady Fortnite download. At least that was a choice you made, and you can also uninstall it. The vulnerabilities Kryptowire found are often preinstalled at a system level, with no way to purge them from your device.

"In the race to create cheap devices, I believe that the quality of software is being eroded in a way that exposes the end user." Angelos Stavrou, Kryptowire

If all of this sounds vaguely familiar, it’s because Kryptowire has been down this road before. A little over a year ago it disclosed the results of a similar round of research that found this same class of defects built into 10 popular Android devices. The difference now—and the reason the work is so much more comprehensive—is that the team has built a tool that scans firmware for issues even if they don’t have the device physically in hand. Kryptowire’s system then automatically creates a proof of concept, in a matter of minutes, that validates the vulnerability’s existence and cuts down on false positives. The tool looks for “unsafe states,” as Stavrou puts it, that would allow an application to take a screenshot or record audio or create a network connection when it shouldn’t.

The issue often comes down to trust. Many of the vulnerabilities Kryptowire found enable apps to do things like change settings without your knowledge or consent.

“We believe that if you are a vendor you should not trust anybody else to have the same level of permissions as you within the system,” says Stavrou. “This should not be an automatic thing.”

“We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these,” Google said in a statement. Google has its own vetting process, called the Build Test Suite, that checks software for potentially harmful preinstalled apps. BTS launched in 2018, and in its first year prevented 242 of those problematic installs from reaching consumers.

The Kryptowire research suggests that BTS has room for improvement. In fairness, it’s a problem of enormous scope. According to a presentation on this very topic given this summer by Google security researcher Maddie Stone, every Android device ships with 100 to 400 preinstalled apps. Many of those apps originate not from the company that’s making the physical device, but from third parties that provide the code for various under-the-hood tasks, or from carriers who have a vested interest in everything from messaging to payments. Most manufacturers are ill-equipped to parse all of those apps for potential risks, and even the largest still allow some sort of carrier influence.