[jwells89]

The first scenario is a possibility for a lot of budget phones, as well as carrier-distributed phones. Both include bundled third party "system" apps, especially the budget phones where the bundleware is more likely to be from questionable devs.

It's something most of us knew already, but it's just another reason why it's a bad idea to buy dirt cheap crapware-subsidized phones, and why it's better to buy phones through electronics retailers or from the manufacturer and to steer clear of purchasing through carriers.

[lolinder]

If the main attack vector is "software preinstalled by shady manufacturers", I'd still file that under "nothingburger". There are many, many ways for shady manufacturers to do shady things with their OEM version of Android, and this is far from a game changer for them.