Commercial firmware pre-installed on someAndroid smartphone models soldin theUS has been found to besecretly sending highly sensitive data to a third party company based in China, according to analysis bysecurity firm Kryptowire.
Personal databeing transmitted without users knowledge or consent included text messages, call logs, contacts, app usage data and even a users location.
While smartphones with the firmware in question included the BLU R1 HD, pictured above, which is sold for circa $50 via major retailers such as Amazon.com.
A full list of affected devices is not available at this point.
The company controlling the firmware has claimed itwas mistakenly installed on phones sold in the US and that that version had been created for a Chinese OEM selling devices domestically.
In a press releasedetailing itscode and network analysis of the data-harvestingfirmware, Kryptowirewrites:
These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users consent and, in some versions of the software, the transmission of fine-grained device location information. The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
Kryptowire traced the transmissions ofpersonal data to Shanghai Adups Technology Co. Ltd a maker of Firmware Over The Air (FOTA) update software systems.
On its website Adups says it has more than 700 million active users and a market share of more than70 per cent across 200+ countries and regions, with its FOTA systemsintegrated into more than 400 mobile operators, semiconductor vendors, and device manufacturers spanning mobiles, wearables, cars and televisions.
In an interview with theNYT, a lawyer representing Adups said the firmware functionality was built at the request of an unidentified Chinese client who intended it to be used to combat spam text messages and for customer support. Although the paper notesUSauthorities arent ruling out the possibility it might have beena Chinese government effort to collect intelligence on US mobile users.
Adupsclaims to have deleted all accidentally harvested data since Kryptowire contacted it. While BLUs CEO also tells the paper its phones are no longer harvesting data. Some 120,000 of the smartphoneshad apparently been affected prior to it pushing an update to kill the firmwares monitoring.
Kryptowire notes the software and behavior of the firmware bypassed detection by mobile antivirus tools since they assume thesoftware that ships with adevice is not malware and therefore whitelisted it.
The harvested data was encrypted by Adups in transit but Kryptoware was able to identify the encryption key during its analysis, and decrypt text message content providing a sample text message which reads: Be there in 5.
Its analysis alsofound data transmissions varied depending on the data type, occurring every 72 hours for text messages and call log data, and every 24 hours for other personally identifiable information.It also identified additional functionality in how Adupsserver responded enabling the monitoring system tosupport searching for a particular phone number or keyword used within a message.
Kryptoware argues the findingsbolster the case for more transparency at every stage of the supply chain.Ithas reported the firmware analysis to the US government, which is nowlooking toidentify appropriate mitigation strategies, workingwith public and private sector partners.