Chinese Software Maker Took Smartphone Users’ Texts, Data Without Consent
A China-based software developer has created code that captures smartphone text message data and sends it back to private servers every three days without the users’ knowledge. That code was preinstalled on devices sold in the United States and undetectable by anti-virus software.
According to a mobile security firm that found the vulnerability in Android phones and released a statement Tuesday morning detailing the findings, the devices were actively transmitting user and device information including the full body of text messages, contact lists, call history – including full telephone numbers – and other unique information like the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). Every 24 to 72 hours the data was retrieved and transmitted to servers in Shanghai.
The pre-installed firmware used to monitor the activities and collect sensitive data was shipped with Android devices specifically, and managed by Shanghai Adups Technology Co. Ltd. The devices tested by the security company were made available in the U.S. by online retailers including Amazon and BestBuy, the statement said.
The Adups code was created for one of the company’s clients to provide a flagging mechanism for junk texts and calls for users.
“The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai,” the statement said. “This software and behavior bypasses the detection of anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white listed.”
>>See related: FBI Cybersecurity Chief: As Mobile Use Grows, So Do Threats
Adups intentionally designed the software to help a Chinese phone manufacturer capture user data, the New York Times reported. The software was not intended for phones sold in the U.S., the report said, but Adups mistakenly did it anyway, according to the company’s California-based attorney Lily Lim in a statement to the Times.
Adups touts manufacturing giants Huawei and ZTE as two of its clients, along with American-based phone maker BLU, based out of Florida. Adups claims it has code on more than 700 million smart devices in the world, including phones, cars, and other devices. As of now, only BLU products were known to have been carrying the firmware in the U.S.
>>See related: Truly Smart: Machine Learning Comes To The Mobile Phone
In a statement released Tuesday, Adups said the issue cropped up in June of this year inadvertently.
“In June 2016, some BLU Product, Inc. devices applied a version of the ADUPS FOTA application that inadvertently included the functionality of flagging junk texts and calls that had been requested by other ADUPS clients,” the statement said. “When BLU raised objections, ADUPS took immediate measures to disable that functionality on BLU phones. ADUPS updated applications for BLU phones, and those phones have passed the Kryptowire test. ADUPS also confirmed that no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from BLU phone during that short period was deleted.”
Kryptowire, the security firm that detected the Adups code, has reported the issue to the Department of Homeland Security. While it is believed that the vulnerability may have impacted the consumer market mostly, the issue could certainly be of consequence to enterprises operating in a BYOD environment, according to Kryptowire spokesperson Tom Karygiannis.
The security firm detected the issue in October, and Adups updated BLU's firmware just within the last week, Karygiannis said.
Blu offers inexpensive smartphones like the Win HD LTE and Win JR LTE, and said some 120,000 of its devices were impacted by the firmware, but has since upgraded the software to eliminate the vulnerability, the Times reported.
The company’s offerings were highlighted in Bloomberg’s BusinessWeek in August as manufacturing the number one-ranked smartphone on Amazon in the R1 HD – the exact phone used to find the Adups vulnerability. The phone, after a $50 Amazon subsidy, was available to the general public for $50.
Representatives for Blu could not be immediately reached for comment.
Mobile security continues to challenge users, especially in the enterprise where sensitive information is being transmitted constantly. Security across all platforms and industries will be the focus of Enterprise Mobility Exchange’s West Coast Security event on March 27 and 28 in Arizona. To see what the Exchange is like, learn more from the Mobile Cloud Computing and Security event held in Miami in October.