A new smartphone comes with pre-installed apps that sometimes users do not like. These apps are not only annoying to remove; they are also clunky and, if not updated, could turn into a virus. A new report claims that these pre-installed apps on Android devices are riddled with security holes that could put users at risk.

Security firm Kryptowire created a tool that could automatically scan a massive number of Android devices for possible signs of security flaws. In research funded by the US Department of Homeland Security, the security firm tested the tool on 29 various vendors. While the majority of these vendors are not that popular, some of the big names in the smartphone industry make appearances, including Sony, Asus, and Samsung.

The security firm surprisingly discovered vulnerabilities of all sorts. This includes apps that can be forced to install other apps, tools that can be manipulated to record audios, and those that can mess the device’s system settings. Some of these uncovered vulnerabilities can only be activated by other apps that are pre-installed in the devices.

This limits the attack only to those in the supply chain. However, there are others that can be easily triggered by any app the user might have downloaded. The security firm has a complete list of vulnerabilities classified by type and manufacturer, that could put Android users to risk without their knowledge.

Kryptowire discovered 146 vulnerabilities from its most recent research. Google is aware of this possible attack route, according to Wired. The search engine giant launched the program titled Build Test Suite (BTS) last year that all partner OEM must pass. This scans the firmware of a device for any known security issues concealed among the pre-installed apps.

The BTS flags bad apps as Potentially Harmful Applications (PHAs). While the BTS is good, one automated system could not catch everything. When an issue sneaks on the device, there is no guarantee that a fix or a patch will be deployed. Techcrunch reports that it has reached out to Google about the recent issue. The search engine giant said that it appreciates the efforts of the research community who works with them to disclose and fix problems like these.