Commercial firmware pre-installed on some Android smartphone models sold in the US has been found to be secretly sending highly sensitive data to a third party company based in China, according to analysis by security firm Kryptowire.
Personal data being transmitted without users’ knowledge or consent included text messages, call logs, contacts, app usage data and even a user’s location.
While smartphones with the firmware in question included the BLU R1 HD, pictured above, which is sold for circa $50 via major retailers such as Amazon.com.
A full list of affected devices is not available at this point.
The company controlling the firmware has claimed it was mistakenly installed on phones sold in the US — and that that version had been created for a Chinese OEM selling devices domestically.
In a press release detailing its code and network analysis of the data-harvesting firmware, Kryptowire writes:
These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information. The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
Kryptowire traced the transmissions of personal data to Shanghai Adups Technology Co. Ltd — a maker of Firmware Over The Air (FOTA) update software systems.
On its website Adups says it has more than 700 million active users and a market share of more than 70 per cent across 200+ countries and regions, with its FOTA systems integrated into more than 400 mobile operators, semiconductor vendors, and device manufacturers — spanning mobiles, wearables, cars and televisions.
In an interview with the NYT, a lawyer representing Adups said the firmware functionality was built at the request of an unidentified Chinese client who intended it to be used to combat spam text messages and for customer support. Although the paper notes US authorities aren’t ruling out the possibility it might have been a Chinese government effort to collect intelligence on US mobile users.
Adups claims to have deleted all accidentally harvested data since Kryptowire contacted it. While BLU’s CEO also tells the paper its phones are no longer harvesting data. Some 120,000 of the smartphones had apparently been affected prior to it pushing an update to kill the firmware’s monitoring.
Kryptowire notes the software and behavior of the firmware bypassed detection by mobile antivirus tools since they assume the software that ships with a device is not malware — and therefore whitelisted it.
The harvested data was encrypted by Adups in transit but Kryptoware was able to identify the encryption key during its analysis, and decrypt text message content — providing a sample text message which reads: “Be there in 5”.
Its analysis also found data transmissions varied depending on the data type, occurring every 72 hours for text messages and call log data, and every 24 hours for other personally identifiable information. It also identified additional functionality in how Adups’ server responded — enabling the monitoring system to support searching for a particular phone number or keyword used within a message.
Kryptoware argues the findings bolster the case for “more transparency at every stage of the supply chain”. It has reported the firmware analysis to the US government, which is now looking to identify “appropriate mitigation strategies”, working with public and private sector partners.