Android’s COVID-19 exposure notification system logs contact tracing data to the system (OS) logs, which are accessible by the ‘privileged’ apps on the user’s device. Privileged apps are third-party apps that Google or the phone vendor allow to access protected areas of your phone (e.g. Facebook has admin privileges on Samsung phones) — this concept of ‘privileged’ apps is a problem in itself.
Since 2012, Android doesn’t allow non-privileged apps to access the operating system’s logs. However, the fact that there are so many privileged apps bundled with phones (which can’t even be removed on some brands of phones) has thwarted this effort. Phone vendors and telecom companies have access to the system logs as well, and they aren’t known for respecting user privacy either.
Preinstalled apps are known for the excessive permissions that they use to collect large amounts of user data, and against the users’ will. The partnership between preinstalled app vendors and phone manufacturers, telecom companies has resulted in the sale of users’ data across the Internet without their permission.