Samsung users report ‘unremovable’ Israeli bloatware AppCloud on devices

South Korean tech giant Samsung has come under fire after users flagged that its devices contained what cybersecurity experts are calling bloatware across multiple regions globally. 

Bloatware is a pre-installed application that runs on a device’s operating system. Initially, the software, AppCloud, was reported to be pre-installed in Samsung Galaxy A and M series phones across West Asia and North Africa.

But now, users from Europe and South Asia have reported that the bloatware also comes pre-installed on their devices, and is "unremovable".  

Uninstalling bloatware requires root access, the highest level of control in a computer system. 

In February, SMEX (formerly Social Media Exchange), a digital rights organisation based in Beirut, reported that AppCloud secretly harvests user data and lacks an accessible privacy policy, raising legal and ethical concerns due to its ties to the Israeli firm ironSource.

IronSource has been notorious for building invasive programmes that allow it to install software on the user’s device without permission. 

Some of the software it has built in the past, like InstallCore, was successfully able to circumvent the user validation process and bypass security checks, including antivirus programmes. 

IronSource is now owned by the American company Unity, which provides software solutions for mobile phones, tablets and other devices. 

SMEX reported that uninstalling the bloatware is "not possible without root access".

"Since AppCloud seems to be built into the system by Samsung, there is no way to purchase a new model without it," the report said. 

The organisation in May wrote an open letter to Samsung after receiving no answers from the company about the serious privacy threat. 

"Samsung’s terms of service mention third-party applications but do not specifically address AppCloud or ironSource, despite the significant data access and control granted to this bloatware app," the letter read. 

Back in focus once again

The issue regained momentum online after users from Europe and South Asia reported that AppCloud was also pre-installed in their newly purchased phones and tablets. 

"Even when disabled, AppCloud remains on the device, reappears after updates, and can covertly install additional software," International Cyber Digest (ICD), a weekly newsletter on cybersecurity, wrote on X. 

The editor of the newsletter, who prefers to maintain anonymity online, told Middle East Eye that it was the persistence of the app that was worrisome.

"Why can't the user remove a third-party app? Even after it is removed, it appears again after every update," they said. 

"It is a disgrace that a phone company would sell devices with bloatware. You've already paid for the phone, and now Samsung is making customers pay for additional data usage too."

Pegasus: Israeli spyware scandal explained

Read More »

Users also shared screenshots of the permissions AppCloud requested, which included "full network access", "download files without notification" and "prevent phone from sleeping", among others.

"These permissions show the building blocks of an always-on data pipeline," cybersecurity expert Ehraz Ahmed told MEE.

"None of that proves classic ‘spyware’, but for a preloaded component that ordinary users can’t uninstall and that has no easily accessible privacy policy, it’s a clear example of how aggressive ad-tech can blur into surveillance," the security researcher said. 

After the issue regained prominence online, Mohamad Najem, the founder of SMEX, took to social media to say that Samsung had not responded to their emails or the open letter yet. 

Israel's history with spyware and mass surveillance 

On 17 September 2024, Hezbollah communication devices across Lebanon exploded, killing 39 people, including party members and civilians, after Israel boobytrapped pagers and walkie-talkies, infiltrating Hezbollah’s supply chain through a complex network of shell companies.

A second wave of attacks occurred the following day, when more devices exploded during the funerals of Hezbollah members. The incidents heightened fears of other electronic devices detonating, prompting many people to put away their smartphones and disconnect household appliances.

Thousands were wounded in the attack, with many suffering life-altering injuries to the eyes, face and hands. United Nations experts described it as a "terrifying" violation of international law.

Yossi Cohen, the former head of Mossad, told The Brink podcast in October that he had invented the "equipment manipulation" method and that Israel has "manipulated equipment" in "all countries that you can imagine".

 

 

 

View this post on Instagram

 

 

 

 

 

 

 

 

 

 

 

A post shared by Middle East Eye (@middleeasteye)

In September 2025, people took to social media to call for the mass cancellation of ExpressVPN subscriptions after it emerged that the popular privacy service is owned by a cybersecurity firm with Israeli ties.

In 2021, The Times of Israel reported that Kape Technologies, a British-Israeli digital security company, had acquired ExpressVPN, one of the world’s largest virtual private network (VPN) providers, for nearly $1bn.

The calls for cancellation intensified after social media users began circulating information about Teddy Sagi, the Israeli billionaire and owner of Kape Technologies. Many shared that in 2023, as reported by The Jerusalem Post, Sagi donated $1m to transport soldiers during the Israeli war on Gaza.

In 2021, an investigation into a massive data leak by The Guardian, The Washington Post and 15 other media outlets showed that activists, politicians and journalists from around the world were targeted with a software called Pegasus sold by the Israeli surveillance company NSO Group. 

The spyware was not only used for mass surveillance worldwide, but the Israeli police also used it for spying on its own citizens, including senior government officials critical of Prime Minister Benjamin Netanyahu.

The Israeli company has been linked to governments exploiting its technology to spy on journalists, activists and politicians. 

In September, The Guardian reported that Microsoft cut off the Israeli military's Unit 8200's access to some technology over reports that it had violated the company’s terms of service by storing mass surveillance data of Palestinians in its Azure cloud platform.