This study presents the first systematic security and privacy assessment of preinstalled applications on mainstream low-cost Android devices in Africa. To address the lack of empirical evidence on such risks, we construct a static analysis framework integrating sensitive permission detection, exposed component identification, and dangerous behavior pattern matching. Applied to 1,544 preinstalled APKs across 14 commercially available devices, our analysis reveals widespread vulnerabilities: 145 apps leak sensitive data; 249 expose critical components (e.g., Activities, Services); 226 execute privileged shell commands; 79 manipulate SMS messages; and 33 support silent installation. Critically, multiple vendor-specific packages were found to persistently transmit device location and unique identifiers (e.g., IMEI, Android ID) to third-party domains. These findings expose systemic, previously overlooked security deficiencies in mobile ecosystems serving low-income markets. The work provides the first large-scale empirical foundation for mobile security governance in emerging economies and delivers a reusable, automated static analysis methodology for scalable preinstalled app auditing.

Android's open-source nature facilitates widespread smartphone accessibility, particularly in price-sensitive markets. System and vendor applications that come pre-installed on budget Android devices frequently operate with elevated privileges, yet they receive limited independent examination. To address this gap, we developed a framework that extracts APKs from physical devices and applies static analysis to identify privacy and security issues in embedded software. Our study examined 1,544 APKs collected from seven African smartphones. The analysis revealed that 145 applications (9%) disclose sensitive data, 249 (16%) expose critical components without sufficient safeguards, and many present additional risks: 226 execute privileged or dangerous commands, 79 interact with SMS messages (read, send, or delete), and 33 perform silent installation operations. We also uncovered a vendor-supplied package that appears to transmit device identifiers and location details to an external third party. These results demonstrate that pre-installed applications on widely distributed low-cost devices represent a significant and underexplored threat to user security and privacy.