- ICE cuts the cord on real immigrant hotline after being featured in ‘Orange Is the New Black’ 3 Years Ago
- The 10 best music podcasts for artist interviews and criticism in 2019 Today 10:41 AM
- How a socialist Twitch streamer landed in a feud with Dan Crenshaw Today 10:07 AM
- How to prepare for your fantasy football draft (and season) Today 9:00 AM
- Kit Harington is joining the MCU–and people are guessing which character he will play Today 8:48 AM
- How to live stream Juan Francisco Estrada vs. Dewayne Beamon Today 8:00 AM
- The 5 best free torrent clients you can download in 2019 Today 8:00 AM
- How to stream Saints vs. Jets in NFL preseason action Today 7:49 AM
- How to stream Chiefs vs. 49ers in NFL preseason action Today 7:36 AM
- How to live stream Bellator 225: Mitrione vs. Kharitonov Today 7:30 AM
- Alice Wetterlund draws insight from the last decade in ‘My Mama Is a Human and So Am I’ Today 7:00 AM
- How to stream the Cowboys vs. Texans NFL preseason showdown Today 7:00 AM
- How ‘Stranger Things’ is inspiring new waves of Dungeons and Dragons fans Today 6:00 AM
- Why you should be watching ‘Red vs Blue’ on Netflix Today 6:00 AM
- How to live stream Sergey Kovalev vs. Anthony Yarde Today 5:00 AM
A previously unknown backdoor built into Android firmware has been secretly monitoring the personal communications information of over 700 million device owners worldwide and sending it to server in China, according to security researchers.
This dubious software feature, discovered by security company Kryptowire, documents all call and location logs as well as a fully searchable text message archive and contact list from each phone. Then, every 72 hours, the firmware sends all collected data to a the company that wrote the software, Shanghai Adups Technology.
The spyware was found by accident when a Kryptowire employee noticed strange network traffic occurring on a handset he had purchased for travel. As his team looked closer at the phone, they discovered that the firmware was effectively spyware.
“The user and device information was collected automatically and transmitted periodically without the users’ consent or knowledge… [the feature] cannot be disabled by the end user,” researchers explained in a blog post. “… This behavior bypasses the detection of mobile antivirus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.”
The software is mostly installed on budget Android phones, and Shanghai Adups boast contracts with Huawei and ZTE, although both these companies denied in statements to the press that Adups software has ever been installed on their devices. One U.S manufacturer has been affected so far, BLU products, and was found mainly on devices sold through online retailers like Amazon.
There are many mobile phone applications and software features that collect user data, often to sell to advertisers and other third parties. It is a legal requirement that these companies inform users and have them sign an agreement—usually on installation.
Shanghai Adups’ firmware was pre-installed and made no mention of its monitoring capabilities. Even more sinister, Shanghai Adups’ product can identify a specific phone and its location then enable the remote installation of other apps and control operations on the target handset from anywhere in the world.
As the New York Times reported on Wednesday, Shanghai Adups did not intend for the firmware to find its way onto American phones and claims to have since deleted data collected from BLU handsets. The company also insisted that the collected data had not been passed on to any other party. Still, the question remains as to the purpose of this kind of feature at all.
It’s impossible to say at this stage why the tracking software was collecting such an extensive amount of personal information. The discovery exposes a serious breach of user privacy.
Shanghai Adups are not formally affiliated with the Chinese government, but U.S government officials are particularly rattled and have not ruled out that the firmware’s purpose was surveillance.
Update 9:52am CT, Nov. 18: Huawei and ZTE, which Adups claimed to have contracts with, have denied installing the company’s firmware on their devices.
“Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security,” the company said in a statement. “The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.”
David Gilmour is a reporter who specializes in national politics, internet culture, and technology. He previously covered civil liberties, crime, and politics for Vice.