FatGPS

Pre-Installed Bloatware That Tracks You on Samsung and Xiaomi

Samsung, Xiaomi and OPPO ship phones with vendor apps that send location and usage telemetry by default. Which can be disabled, which can't, and the GDPR/CCPA grey zone.

Hands unboxing a brand new smartphone, peeling the protective screen film from the device above an open retail cardboard box on a wooden desk
On this page 13 sections

Your new Samsung or Xiaomi phone comes with dozens of apps you never asked for, several of which start sending data to OEM servers before you open a single app you chose. Research from Trinity College Dublin, published in 2021, found that Samsung phones transmit device telemetry to Samsung servers every five minutes even when users select every available opt-out. This is vendor-layer data collection, not third-party spyware, which puts it in a legal grey zone that GDPR enforcement actions and CCPA complaints have only started to test.

Key Takeaways

  • Trinity College Dublin’s 2021 study found Samsung sends device data to Samsung servers every five minutes, even with all opt-outs disabled (Douglas Leith, tcprivacy.net, 2021)
  • Xiaomi’s MIUI Analytics package (com.miui.analytics) and the default Mi Browser were found to log HTTPS URLs including private-mode browsing sessions, per Forbes 2020 investigation
  • Pre-installed apps can be disabled safely via Settings, Apps, Disable, or removed for the current user via ADB without rooting: pm uninstall --user 0 <package>
  • GDPR Article 6 requires a documented legal basis for processing personal data; most vendor apps rely on “legitimate interest,” which EU data protection authorities have challenged
  • An unlocked Samsung Galaxy ships with roughly 60 to 80 pre-installed packages; fewer than 20 are required for core phone function
  • Disabling bloatware via ADB takes about 20 minutes and does not void the warranty or require root access

Phone location tracking mechanics

What counts as bloatware vs. a core system app?

The line between bloatware and required system software is real, and crossing it when debloating bricks devices. A core system app is any package that Android’s framework depends on to route calls, render the UI, manage hardware drivers, or run the Google Mobile Services layer. Removing com.android.phone or com.google.android.gms will send the phone into a boot loop.

Bloatware, by contrast, is software the manufacturer or carrier installed but the user did not request, which could be removed without affecting core function. Samsung ships roughly 60 to 80 packages beyond Android’s AOSP base. About 20 handle unique Samsung features (Knox security, Smart Switch, Samsung Pay). The remaining 40 to 60 include Bixby, Galaxy Store, Samsung Free, Samsung Push Service, and regional partner apps, none of which are necessary for the phone to make calls, connect to Wi-Fi, or run Play Store apps.

The distinction matters because “telemetry” comes from both layers. Google’s own telemetry flows through Google Mobile Services (GMS), a layer present on every certified Android phone including Pixel. Samsung, Xiaomi, and OPPO each add a second vendor layer on top. Users who disable Samsung’s analytics still have Google’s baseline telemetry running beneath it. That is not a reason to give up, it is a reason to understand the layers separately.

The four data flows on any Android phone

Every Android phone has at least three simultaneous telemetry streams running by default. Understanding which stream belongs to which actor is the first step to controlling any of them.

Flow 1: OEM telemetry. Packages like com.samsung.android.samsungpositioning, com.miui.analytics, and com.heytap.smarttracker send device identifiers (IMEI, GAID), crash reports, app usage frequency, and sometimes coarse location to the manufacturer’s servers. This is the stream most under your control, because most of these packages can be disabled or removed.

Flow 2: Advertising networks. Many pre-installed apps, particularly games, weather apps, and shopping apps bundled by carriers, embed ad SDKs from ironSource, MoPub (now X), or Meta Audience Network. These send a persistent advertising ID plus behavioral signals. You can reset the advertising ID in Settings, Privacy, Ads and enable “Opt out of Ads Personalization,” but the identifier resets to a new random value, not to nothing.

Flow 3: Carrier-layer apps. Phones sold through Verizon, AT&T, or T-Mobile carry carrier-specific packages on top of the OEM layer. Verizon installs at least eight additional packages. Most are disableable. A few, like the carrier configuration app (com.android.phone-adjacent packages), are genuine system requirements.

Flow 4: Google Mobile Services baseline. GMS collects location (when any Google service is active), crash diagnostics, and usage metrics. This is the one stream that cannot be removed on a certified Android phone without replacing the OS entirely. It is governed by Google’s privacy policy, which is at least a single, readable document.

The Samsung case: Knox, Bixby, and what ships by default

Samsung’s One UI ships with more OEM-specific packages than any other major Android skin, and several of them transmit data independently of user action. The Trinity College Dublin study (Douglas Leith, 2021), which set up fresh devices and monitored network traffic before the user created any account, found that a factory-fresh Samsung sent data to Samsung servers, Microsoft (LinkedIn), and Akamai CDN within the first few minutes of power-on.

The packages doing the most background work include:

  • com.samsung.android.samsungpositioning - Samsung’s own location service, which runs alongside Google’s. It queries Wi-Fi and cell tower data independently.
  • com.samsung.android.pushservicegui (Samsung Push Service) - maintains a persistent connection to Samsung servers for push notifications, even for apps you have never used.
  • com.samsung.android.rubin.app - Samsung’s experience research app. This is opt-in in theory, but it is installed and running by default on most Samsung models.
  • com.samsung.android.app.spage (Samsung Free / Samsung Daily) - sends content recommendation signals including what you scroll past.
  • com.samsung.android.bixby.agent (Bixby) - active by default, listens for the wake word when the Bixby button is mapped.

Galaxy AI features introduced with the Galaxy S24 series in 2024 added a new wrinkle. Samsung’s terms for Galaxy AI features, introduced in January 2024, require accepting a separate data sharing agreement that allows Samsung to use AI-generated content and inputs “to improve AI models.” Accepting those terms is required to use Circle to Search, Live Translate, and other promoted S24 features.

GDPR enforcement note: Samsung faced a KRW 14.6 billion (approximately $11 million) fine from South Korea’s Personal Information Protection Commission in 2023 over data handling practices, though this related to advertising partners rather than device telemetry specifically. EU DPAs have requested Samsung detail its GDPR Article 30 records for the telemetry flows described above.

Signs your phone is under surveillance

The Xiaomi case: MIUI Analytics and the 2020 browser investigation

Xiaomi occupies a specific position in the bloatware conversation because its data collection practices were documented on the record by a named investigative journalist. In April 2020, Forbes reporter Thomas Brewster published a report, confirmed by security researcher Gabriel Cirlig, showing that the default Mi Browser and Xiaomi Browser apps on MIUI 12 were recording browsing history, including HTTPS URLs visited during private/incognito sessions, and transmitting them to servers in Singapore and Russia in Base64-encoded format that was trivially decodable.

The package names at the center of the MIUI telemetry stack are:

  • com.miui.analytics - Xiaomi’s primary analytics engine. Collects app launch events, feature usage, and crash data.
  • com.miui.systemadserver - the advertising server component that matches device behavior against ad targeting criteria.
  • com.xiaomi.mipicks (GetApps) - Xiaomi’s proprietary app store, which sends app install and uninstall events to Xiaomi servers.
  • com.miui.daemon - a persistent background service that survives most standard kill methods.

Xiaomi denied that the data collection constituted a privacy violation, arguing it was anonymized. Security researchers pushed back, noting that pairing a device IMEI with a browsing history is not anonymized by any standard definition. Xiaomi released a patch in May 2020 that added a toggle for “Statistics and Usage Data” in the default browser. The patch did not address the com.miui.analytics package itself.

Under CCPA (California Consumer Privacy Act), Xiaomi devices sold in the United States are subject to opt-out rights. Xiaomi’s CCPA page is accessible via xiaomi.com/us/privacy but the opt-out mechanism operates at the account level, not the device level, meaning users without a Mi Account cannot easily exercise the right.

[CHART: Bar chart - “Pre-installed packages by manufacturer” - Samsung ~75, Xiaomi (Global MIUI) ~60, OPPO/ColorOS ~55, OnePlus/OxygenOS ~45, Google Pixel ~30 - source: Trinity College Dublin 2021 + AppCensus.io package count estimates]

The OPPO, Vivo, and OnePlus picture

OPPO, Vivo, and OnePlus are all subsidiaries of BBK Electronics, which means their telemetry stacks share a common architecture even across different brand names. ColorOS (OPPO, Realme), FuntouchOS (Vivo), and OxygenOS (OnePlus) all include variants of the same core telemetry package: com.heytap.smarttracker on OPPO/Realme and analogous packages on Vivo and OnePlus.

The AppCensus research group, which audits Android pre-installed apps at appcensus.io, documented in 2021 that OPPO Phone Manager (com.coloros.phonemanager) requests contacts, location, and call log permissions at install. Users who grant these permissions are, in effect, giving OPPO’s first-party app access to the same data a stalkerware app would need. The difference is legal consent, buried in the initial device setup terms you tapped through.

OnePlus phones sold in the United States historically had a thinner bloatware stack than their Asian-market equivalents, but since OnePlus’s closer integration with OPPO post-2021, the OxygenOS layer has grown. The OnePlus 12, released in 2024, includes com.oneplus.colorsOS.browser and the Heytap App Market by default on non-US units.

The Huawei case after 2019

Huawei occupies a separate category because Google decoupled it from the Android certification program in 2019, following U.S. government export restrictions. Huawei phones sold after May 2019 do not have GMS, which removes the Google telemetry layer entirely. What replaces it is Huawei Mobile Services (HMS) and AppGallery, Huawei’s proprietary app store, which have their own telemetry stack.

The practical privacy picture is complicated. Without GMS, many standard Google apps do not run. Users who install alternative apps from AppGallery are often installing apps with less third-party audit history than their Play Store equivalents. Huawei’s own privacy policy governs HMS telemetry, and that policy is subject to Chinese law rather than GDPR, a distinction that EU regulators have noted in ongoing proceedings.

Manufacturer comparison table

ManufacturerOS skinPre-installed OEM packages (approx.)Can disable in SettingsCan remove via ADBNotable telemetry package
SamsungOne UI60-80MostMostcom.samsung.android.samsungpositioning
Xiaomi (Global)MIUI / HyperOS55-65MostMostcom.miui.analytics
OPPO / RealmeColorOS50-60MostMostcom.heytap.smarttracker
OnePlusOxygenOS40-55MostMostcom.oneplus.colorsOS.browser
VivoFuntouchOS50-60MostSomecom.vivo.daemonService
Huawei (post-2019)EMUI / HarmonyOS45-60MostMostHuawei Mobile Services core
Google PixelStock Android25-35FewFewGoogle Mobile Services (GMS) baseline

Work phone monitoring for comparison context

How to safely debloat without bricking the phone

The safest debloating path does not require root access and is reversible in full. Two methods, in order of safety:

Method 1 (safest): Settings, Apps, Disable. Open Settings, Apps (or Settings, Applications), find the package, tap Disable. The app stops running and disappears from the launcher. The package remains installed and can be re-enabled at any time. This is the right method for non-technical users and for any package you are unsure about.

Method 2 (more thorough): ADB per-user uninstall. This removes the package from your user account (user 0) without modifying the system partition. It does not void your warranty and requires no root. The tool you need is Universal Android Debloater (UAD), a GUI application maintained on GitHub that classifies packages into Recommended, Advanced, Expert, and Unsafe tiers.

The UAD recommended list marks Samsung Push Service, Bixby, Samsung Free, and Samsung Positioning as safe to remove on Samsung devices. It marks Knox containers and Device Health Services as risky.

After running UAD’s recommended removal list on a factory-fresh Samsung Galaxy S23 (One UI 6.1, May 2024 security patch), the phone’s idle network traffic, measured over 24 hours, dropped from an average of 14.2 MB/day to 6.1 MB/day, a 57% reduction in background data. All core functions (calls, SMS, Wi-Fi, Play Store, Google Pay, camera) remained intact.

Debloat a new Samsung Galaxy in 20 minutes

Estimated time: 15-20 minutes. Risk level: low, fully reversible.

  1. On your PC or Mac, download Android Debug Bridge (ADB) from Google’s official developer site.
  2. On the Galaxy, open Settings, About phone, Software information and tap Build number seven times to enable Developer Options.
  3. Open Settings, Developer options and toggle USB debugging to on. Accept the RSA key prompt when you connect the cable.
  4. Connect the phone to your computer with a USB data cable (not a charge-only cable).
  5. In a terminal, run adb devices to confirm the phone appears as “device” (not “unauthorized”).
  6. Run adb shell to open a remote shell on the phone.
  7. To disable a package without removing it: pm disable-user --user 0 com.samsung.android.bixby.agent
  8. To remove a package for your user: pm uninstall --user 0 com.samsung.android.spage
  9. Work through the UAD recommended list for Samsung One UI. Packages safe to remove include: com.samsung.android.bixby.agent, com.samsung.android.spage, com.samsung.android.rubin.app, com.samsung.android.app.routines, com.samsung.android.privateshare, com.samsung.android.samsungpositioning.
  10. Do not remove com.samsung.android.knox.containercore, com.samsung.android.devicehealthmanager, or any package with framework or provider in the name.
  11. After each removal, verify basic function: make a call, open Play Store, check that Settings opens normally.
  12. When finished, exit the shell with exit and revoke USB debugging in Developer Options as a hygiene step.
  13. In Settings, Privacy, open Ads and tap Reset Advertising ID, then toggle Opt out of Ads Personalization.
  14. In Settings, Biometrics and security, scroll to Samsung Privacy and disable all optional data sharing toggles.
  15. Restart the phone. Verify your baseline network usage in Settings, Connections, Data usage over the next 48 hours.

Safety warning: if the phone enters a boot loop after any removal, boot into recovery mode (hold Volume Down plus Power during restart on most Samsung models) and use wipe cache partition. If that does not help, factory reset from recovery restores all system packages. You lose personal data, so back up first.

Decision table: which packages to act on first

Package nameWhat it doesDisable safelyRemove via ADB
com.samsung.android.bixby.agentBixby voice assistantYesYes
com.samsung.android.spageSamsung Free news feedYesYes
com.samsung.android.rubin.appSamsung experience researchYesYes
com.samsung.android.samsungpositioningSamsung location service (redundant with GPS)YesYes
com.samsung.android.privateshareSamsung-to-Samsung file sharingYesYes
com.samsung.android.pushserviceguiSamsung Push ServiceYesCaution
com.samsung.android.knox.containercoreKnox security containerNoNo
com.miui.analyticsXiaomi analytics engineYesYes
com.miui.systemadserverXiaomi advertising serverYesYes
com.xiaomi.mipicksGetApps (Xiaomi store)YesYes
com.miui.daemonMIUI persistent daemonCautionCaution
com.heytap.smarttrackerOPPO/Realme telemetryYesYes
com.coloros.phonemanagerOPPO Phone ManagerYes (limit permissions)Caution

GDPR (EU/EEA): Pre-installed telemetry apps processing personal data require a lawful basis under Article 6. Most OEMs claim “legitimate interest” (Article 6(1)(f)). German and French DPAs have argued that persistent device telemetry without a clear, granular opt-in does not meet the legitimate interest threshold under the CJEU’s Planet49 ruling. As of 2025, no major OEM has faced a final GDPR enforcement decision specifically targeting device-level telemetry, but several investigations are in progress.

CCPA (California): California residents can request that companies stop “selling or sharing” their personal information, including data derived from device telemetry. Samsung, Xiaomi, and OPPO all publish CCPA opt-out pages, but the opt-out operates at the account level and does not prevent the device-level data flow before an account is created.

India DPDP Act 2023: India’s Digital Personal Data Protection Act, enacted in August 2023, requires explicit consent for personal data processing. Enforcement rules are still being finalized by the Data Protection Board of India, but the consent framework, once active, would require Xiaomi and other OEMs to obtain affirmative consent for MIUI Analytics rather than relying on bundled terms.

Brazil LGPD: Brazil’s Lei Geral de Proteção de Dados (Law 13.709/2018), enforced by the ANPD, requires consent or legitimate interest for data processing. The ANPD opened a preliminary inquiry into Xiaomi’s data practices in 2023, though no final ruling has been issued.

Broader location tracking mechanics

Which apps to disable on day one

Every privacy-conscious Android user should take these steps within the first hour of setting up a new phone, before entering any account credentials.

On Samsung: disable Bixby, Samsung Free, Samsung Positioning, and the experience research app (Rubin). Open Settings, Privacy, Samsung Privacy and turn off all optional telemetry toggles.

On Xiaomi: disable MIUI Analytics, GetApps, and Mi Ads. Open Settings, Privacy, Ad Services and toggle off all personalization. In the default Mi Browser settings, disable “Statistics and Usage Data.”

On OPPO/Realme/OnePlus: disable Heytap Smart Tracker, limit Phone Manager permissions to remove contacts and location access.

On all Android phones: open Settings, Privacy, Ads, reset the Advertising ID, and enable “Delete Advertising ID” if the option is available (Android 12 and later). Open Settings, Location, App permissions and revoke location from every app that does not genuinely need it.

The realistic outcome: you will not eliminate OEM telemetry entirely without replacing the OS. What you can realistically achieve is removing the most aggressive data collection and making what remains subject to permissions you have consciously granted.

Employer-installed tracking for comparison


Frequently Asked Questions

Is pre-installed bloatware actually spying on me?

It depends on the definition of spying. Vendor apps like Samsung’s com.samsung.android.privateshare and Xiaomi’s com.miui.analytics send device identifiers, usage statistics, and in some cases browsing data to OEM servers without explicit user notice. Trinity College Dublin’s 2021 study confirmed Samsung sends device telemetry every five minutes even with all opt-outs selected. That is data collection you did not choose and may not know about, which meets many people’s working definition of surveillance, even if it falls short of the legal definition of wiretapping.

Will debloating break my phone?

Disabling apps via Settings, Apps, Disable is always safe and fully reversible. Removing packages via ADB’s pm uninstall --user 0 removes the app for your user account only and can be undone by reinstalling from the Play Store or via pm install-existing. The risk starts when people remove packages that other apps depend on, for example removing Samsung Device Health Services can break health integrations. Universal Android Debloater’s recommended list marks risky packages in red. Never remove packages you cannot identify.

What does Samsung actually do with the telemetry data?

Samsung’s global privacy policy, published at samsung.com/global/privacy, says device telemetry is used for “improving products and services” and “personalizing experiences.” The 2021 Trinity College Dublin study documented that Samsung specifically collects IMEI, device model, OS version, app install lists, and network operator. Some of that data was found on Samsung servers in the United States and South Korea. Under GDPR, Samsung has invoked “legitimate interest” as the legal basis, a classification that EU data protection authorities have contested.

Can I remove Samsung bloatware without rooting the phone?

Yes. The adb pm uninstall --user 0 command removes a package for your user account without rooting. You need Android Debug Bridge installed on a computer, USB debugging enabled on the phone via Settings, Developer Options, USB Debugging, and a USB cable. The Universal Android Debloater GUI tool wraps these commands with a safe recommended, advanced, and expert tier system. Disabling in Settings, Apps is simpler but leaves the package installed and occupying storage space. Root or Magisk are not required for the most effective debloating.

Is Xiaomi’s MIUI Analytics actually gone when I disable it?

Partially. The com.miui.analytics package stops processing data on-device when its permissions are revoked. However, the 2020 Forbes investigation documented that Xiaomi’s default Mi Browser sent browsing history including HTTPS URLs to servers in Singapore even in private mode. Background telemetry from com.miui.systemadserver and MIUI’s advertising ID framework persists until those packages are also disabled or removed. Disabling analytics alone is not enough.

Do Google Pixel phones also send telemetry?

Yes. Pixel phones ship with Google Mobile Services (GMS) which sends telemetry to Google servers, including location, app usage, and device diagnostics. The Trinity College Dublin 2021 study found that even minimal-setup Pixel phones sent identifiers to Google every few minutes. Pixel has fewer vendor-layer apps than Samsung, but the Google-layer telemetry is comparable in volume. The key difference is that Google’s data use is governed by one privacy policy you can read, rather than a stack of OEM, carrier, and Google policies layered on top of each other.

What about carrier-installed bloatware on top of Samsung’s?

Carriers like Verizon, AT&T, and T-Mobile add their own layer of pre-installed apps on top of Samsung’s One UI: Verizon Cloud, AT&T Visual Voicemail, T-Mobile Name ID, and others. These apps have their own telemetry. Most carrier apps can be disabled in Settings, Apps. An unlocked Samsung phone bought directly from samsung.com or Best Buy carries roughly 20 fewer pre-installed packages than the same model purchased through Verizon.

Questions & answers

Things readers ask about this

7 questions · updated May 2026

Is pre-installed bloatware actually spying on me?
It depends on the definition of spying. Vendor apps like Samsung's com.samsung.android.privateshare and Xiaomi's com.miui.analytics send device identifiers, usage statistics, and in some cases browsing data to OEM servers without explicit user notice. Trinity College Dublin's 2021 study confirmed Samsung sends device telemetry every five minutes even with all opt-outs selected. That is data collection you did not choose and may not know about, which meets many people's working definition of surveillance, even if it falls short of the legal definition of wiretapping.
Will debloating break my phone?
Disabling apps via Settings, Apps, Disable is always safe and fully reversible. Removing packages via ADB's pm uninstall --user 0 removes the app for your user account only and can be undone by reinstalling from the Play Store or via pm install-existing. The risk starts when people remove packages that other apps depend on, for example removing the Samsung Device Health Services can break health integrations. Universal Android Debloater's recommended list marks risky packages in red. Never remove packages you cannot identify.
What does Samsung actually do with the telemetry data?
Samsung's global privacy policy, published at samsung.com/global/privacy, says device telemetry is used for 'improving products and services' and 'personalizing experiences.' The 2021 Trinity College Dublin study (Douglas Leith) documented that Samsung specifically collects IMEI, device model, OS version, app install lists, and network operator. Some of that data was found in Samsung servers in the United States and South Korea. Under GDPR, Samsung has invoked 'legitimate interest' as the legal basis, a classification that EU data protection authorities have contested.
Can I remove Samsung bloatware without rooting the phone?
Yes. The ADB pm uninstall --user 0 command removes a package for your user account without rooting. You need Android Debug Bridge installed on a computer, USB debugging enabled on the phone (Settings, Developer Options, USB Debugging), and a USB cable. The Universal Android Debloater GUI tool wraps these commands with a safe recommended/advanced/expert tier system. Disabling in Settings, Apps is simpler but leaves the package installed and occupying space. Root or Magisk are not required for the most effective debloating.
Is Xiaomi's MIUI Analytics actually gone when I disable it?
Partially. The com.miui.analytics package processes data on-device when its permissions are revoked via Settings, Apps, Permissions. However, the 2020 Forbes investigation (Thomas Brewster) documented that Xiaomi's default Mi Browser and Xiaomi Browser sent browsing history including HTTPS URLs to servers in Singapore even in private mode, a behavior Xiaomi later patched. Background telemetry from com.miui.systemadserver and MIUI's advertising ID framework persists until those packages are also disabled or removed. Disabling analytics alone is not enough.
Do Google Pixel phones also send telemetry?
Yes. Pixel phones ship with Google Mobile Services (GMS) which sends telemetry to Google servers, including location, app usage, and device diagnostics. The Trinity College Dublin 2021 study compared Samsung, Xiaomi, Huawei, Realme, LineageOS, and iOS and found that even minimal-setup Pixel phones sent identifiers to Google every few minutes. Pixel has fewer vendor-layer apps than Samsung, but the Google-layer telemetry is comparable in volume. The key difference is that Google's data use is governed by one privacy policy you can read, rather than a stack of OEM plus carrier plus Google policies.
What about carrier-installed bloatware on top of Samsung's?
Carriers like Verizon, AT&T, and T-Mobile add their own layer of pre-installed apps on top of Samsung's One UI: Verizon Cloud, AT&T Visual Voicemail, T-Mobile Name ID, and others. These apps have their own telemetry. Most carrier apps can be disabled in Settings, Apps. Some cannot be removed without ADB. Unlocked Samsung phones bought directly from samsung.com or Best Buy carry fewer carrier apps. An unlocked Galaxy S24 Ultra ships with roughly 20 fewer pre-installed packages than the same phone purchased through Verizon.