Owners of budget Android smartphones made by Chinese manufacturers have been warned that many are covertly sending data back to China, including complete text message conversations.
The situation was uncovered by a security firm called Kryptowire. It explained that the phones they tested were bought through obvious stores like Amazon and that there are several different models that include firmware that raises concerns.
“These devices actively transmitted user and device information, including the full body of text messages, contact lists, call history with full telephone numbers, and unique device identifiers, including the International Mobile Subscriber Identity and the International Mobile Equipment Identity,” said the firm.
The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
Kryptowire said that the firmware that enables this bad business also enables the remote installation of applications, without user consent, and occasionally “fine grained device location information”.
“The core of the monitoring activities took place using a commercial Firmware Over The Air update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co,” the firm added.
Adups has some 700 million users worldwide.
It isn’t just Chinese firms that are getting the finger pointed at them. A US provider called BLU Products has also caught the attention of Kryptowire. BLU has admitted that it has a problem.
“BLU Products has identified and has quickly removed a recent security issue caused by a third-party application which had been collecting unauthorised personal data in the form of text messages, call logs and contacts from customers using a limited number of BLU mobile devices,” the firm said in a note on its website.
Our customers’ privacy and security are of the utmost importance and priority. The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.
The feature, for want of a better word, does not make itself obvious, but it can be dug out via the settings. BLU has provided a guide for its users.