‘Secret backdoor’ in Some Low-Priced Android Phones sent user data to a server in China

Recently, security firm Kryptowire discovered pre-installed software on some Android phones in the U.S. that secretly sends information like text messages, location data, phone IMEI and call records to a server in China through a secret backdoor.

The software tracks users’ whereabouts, whom they talk to and the content of their text messages, sending the information to a server in China every 72 hours, according to the New York Times report. International customers and disposable and prepaid phone users represent the most vulnerable to the software breach, The New York Times also noted.

According to Kryptowire, the server belongs to a company named Shanghai Adups Technology Co. Ltd., which manufactures and sells a FOTA (Firmware Over The Air) update software system, included with many Android OEMs with their devices. Its code runs on over 700 million Android phones, cars and other smart devices.

Kryptowire came across the issue after a researcher bought an inexpensive BLU R1 HD phone for an overseas trip. During the phone’s setup process, the researcher noted “unusual network activity.” The phone over the course of a week was found to be communicating text messages to a server registered to Adups located in Shanghai.

On its website, Kryptowire noted that the software and its behaviour managed to bypass mobile anti-virus protection because it ships with the device and is not assumed to be malware.

U.S. based phone manufacturer BLU Products confirmed that 120,000 of its phones had been affected, adding that it has since updated its phones’ software to address the backdoor.

“It was obviously something that we were not aware of. We moved very quickly to correct it,” said Samuel Ohev-Zion, CEO of BLU Products.

The firmware allowed remote installation of applications without the users consent. Also, it could identify “specific users and text messages matching remotely defined keywords”. The software also acquired and communicated data about the kinds of apps used and came with the ability to bypass the Android permission model. Kryptowire emphasized that the firmware “executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.”

Adups said it intentionally created the backdoor to enable a Chinese phone vendor to track user behaviour, the New York Times reported, and that version of the software was not intended to be used in American phones.

“This is a private company that made a mistake,” said Lily Lim, a lawyer representing Adups. The software was reportedly created at the request of an unspecified Chinese manufacturer. According to Adups the Chinese firm used the data for customer support. Lim added that the software was intended to help the Chinese firm identify junk text messages and calls. “Adups was just there to provide functionality that the phone distributor asked for,” she said.

The American authorities are unsure if the secret backdoor is used to collect data for advertising purposes, or if it is and actual governmental effort at surveillance. A spokesperson for the Department of Homeland Security, Marsha Catron, said that the agency “was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies.”

Source: The New York Times