Wired:

Security meltdowns on your smartphone are often self-inflicted: You clicked the wrong link, or installed the wrong app. But for millions of Android devices, the vulnerabilities have been baked in ahead of time, deep in the firmware, just waiting to be exploited. Who put them there? Some combination of the manufacturer that made it, and the carrier that sold it to you.

And:

“The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error,” Stavrou says. “They’re exposing the end user to exploits that the end user is not able to respond to.”

This problem is an end result of Android allowing third party companies the ability to modify the source code. An example:

Take the Asus ZenFone V Live, which Kryptowire found to leave its owners exposed to an entire system takeover, including taking screenshots and video recordings of a user’s screen, making phone calls, reading and modifying text messages, and more.

This is a fascinating read. This loss of centralized security control is yet another thing that keeps me in the Apple ecosystem. I do recognize that macOS, iOS, et al have flaws, but the centralized security model (All the system software comes from Apple, not a third party) and the commitment to privacy do make me feel safer.