Chinese Company Added a Secret Backdoor in Phones Sold in the US – Sent Data to Shanghai
Security researchers have identified several models of Android phones that feature a secret backdoor which sends all your data to servers in China. The authorities aren't clear if it's another attempt to mine data for advertising purposes or a Chinese government effort to collect intelligence.
Chinese company added a monitoring tool in some US phones
Kryptowire, the security firm responsible for detection, claims to have identified several models of Android mobile devices that contained firmware that collected "sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent." Using a preinstalled firmware over-the-air (FOTA) update, a company named Shanghai Adups Technology Co Ltd was able to carry out these monitoring activities without any detection.
Adups was able to get access to the location of users, whom they talk to, contact list, and the content of their text messages, among other personal data. The International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) were also part of the data that was sent to the monitoring company every 72 hours.
"The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices," a press release by Kryptowire claims.
Major retailers in the United States, including Amazon and Best Buy, were selling these infected products, Kryptowire confirmed.
Why the AV programs couldn't detect it
The device and user information was collected and transmitted after multiple layers of encryption. This collected and encrypted data was then sent over secure web protocols to a server in Shanghai. Why couldn't anti-virus tools detect this behavior? Because the monitoring software came pre-installed with the device, the AVs white-listed it as they assume software shipping with the device is not malware. Oh, the irony.
Remember, this is not just another vulnerability discovered in Android. It's a private company trying to add a backdoor and having gone undetected, until now. Adups intentionally designed this software to help an unnamed Chinese phone manufacturer monitor user behavior, Adups explained to BLU executives. BLU, an American phone manufacturer, discovered over 120,000 of its phones were affected. It has now updated the software to eliminate the feature.
Adups provides the code that allows companies to remotely update their firmware. Apart from BLU, Adups claims to have provided software to some of the largest phone makers in the world, including ZTE (statement at the end of this post) and Huawei. Both of them are based in China. But, this software version that BLU and Kryptowire discovered affecting several Android devices in the US wasn't intended for American phones.
"This is a private company that made a mistake," Lily Lim, a lawyer representing Adups said.
Google develops and distributes Android mobile OS for free to phone manufacturers. Google told Adups to remove the surveillance software from phones that run services like Google Play Store. However, Adups can include the monitoring tool in devices that are used in China, where Google doesn't operate.
The latest discovery made by Kryptowire shows another example of how a private company can compromise user privacy. It's not just about Google or the phone maker. Any of the associated companies can create backdoors to collect data. But, it's the phone maker who has to take responsibility to intensively test products before shipping them to users.
At this point, it is yet to be investigated whether this was indeed just a mistake or an intended effort of data collection. We have previously seen several reports where Chinese companies have tried to track users and monitor online conversations without user consent. Department of Homeland Security said it "was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies.”
Lim insisted that Adups was not affiliated with the Chinese government. Adups has also assured BLU that all of the information taken from BLU customers had been destroyed.
[Update]: ZTE's response to Adups having sold software to the company
In an email statement to Wccftech, ZTE USA said that no devices in US have ever had the Adups software:
We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.
The company didn't add if the phones in China use Adups-provided software.