A previously unknown backdoor built into Android firmware has been secretly monitoring the personal communications information of over 700 million device owners worldwide and sending it to server in China, according to security researchers.
This dubious software feature, discovered by security company Kryptowire, documents all call and location logs as well as a fully searchable text message archive and contact list from each phone. Then, every 72 hours, the firmware sends all collected data to a the company that wrote the software, Shanghai Adups Technology.
The spyware was found by accident when a Kryptowire employee noticed strange network traffic occurring on a handset he had purchased for travel. As his team looked closer at the phone, they discovered that the firmware was effectively spyware.
“The user and device information was collected automatically and transmitted periodically without the users’ consent or knowledge… [the feature] cannot be disabled by the end user,” researchers explained in a blog post. “… This behavior bypasses the detection of mobile antivirus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.”
The software is mostly installed on budget Android phones, and Shanghai Adups boast contracts with Huawei and ZTE, although both these companies denied in statements to the press that Adups software has ever been installed on their devices. One U.S manufacturer has been affected so far, BLU products, and was found mainly on devices sold through online retailers like Amazon.
There are many mobile phone applications and software features that collect user data, often to sell to advertisers and other third parties. It is a legal requirement that these companies inform users and have them sign an agreement—usually on installation.
Shanghai Adups’ firmware was pre-installed and made no mention of its monitoring capabilities. Even more sinister, Shanghai Adups’ product can identify a specific phone and its location then enable the remote installation of other apps and control operations on the target handset from anywhere in the world.
As the New York Times reported on Wednesday, Shanghai Adups did not intend for the firmware to find its way onto American phones and claims to have since deleted data collected from BLU handsets. The company also insisted that the collected data had not been passed on to any other party. Still, the question remains as to the purpose of this kind of feature at all.
It’s impossible to say at this stage why the tracking software was collecting such an extensive amount of personal information. The discovery exposes a serious breach of user privacy.
Shanghai Adups are not formally affiliated with the Chinese government, but U.S government officials are particularly rattled and have not ruled out that the firmware’s purpose was surveillance.
Update 9:52am CT, Nov. 18: Huawei and ZTE, which Adups claimed to have contracts with, have denied installing the company’s firmware on their devices.
“Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security,” the company said in a statement. “The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.”