Kryptowire, a security firm, recently identified several models of Android mobile devices that have preinstalled permanent software that serves as backdoor collecting sensitive personal data, including text messages, geolocations, contact lists, call logs, and transmits them to a server in Shanghai, China.
Without users’ consent, the code can bypass Android’s permission model. This could allow anyone interested in a mobile user’s data — from government officials to malicious hackers — to execute remote commands with system privileges and even reprogram the devices.
The firmware was developed by Chinese company Shanghai ADUPS Technology Company. ADUPS confirmed the report with a bollox statement claiming that it was somehow to do with identifying junk texts.
Kryptowire’s research reveals that the collected information was protected with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other personally identifiable information.
ADUPS also explained that the “accustomed” firmware was ‘accidentally’ built into 120,000 mobile products of one American phone manufacturer, BLU Products. After BLU raised the issue, ADUPS explained that the software was not designed for American phones and deactivated the program on Blu phones.
The news has been widely reported in foreign media as ADUPS is among the largest FOTA (firmware over the air) providers in the world. The company provides a cloud platform for mobile device management to over 700 million active users in 200 countries, which is equivalent to 70% of the global market share as it works closely with the world largest cheap mobile phone manufacturers ZTE and Huawei, both of which are based in China. In 2015 alone, Huawei sold more than 100 million smartphones.
Chinese netizens have not been surprised by the news. Reports about spyware preinstalled in Chinese mobile brands have circulated for many years among mainland and overseas Chinese speaking-communities. In 2014, Hong Kong Android Magazine reported that Xiaomi’s smartphones designed for overseas markets were automatically connecting to an IP in Beijing and that all documents, SMS and phone logs, and video files downloaded were being transmitted to a Beijing server.
In 2015, Germany-based security company G-Data also found out that at least 26 Android mobile brands had preinstalled spyware in their smartphones. The three biggest Chinese smartphone manufacturers, Xiaomi, Huawei and Lenovo were all listed.
China’s newly passed Cybersecurity Law has provided legal ground for the smartphone’s backdoor operation. The law requires “critical information infrastructure operators” to store users’ “personal information and other important business data” in China.
In response to the news, many Chinese netizens are pointing out the abusive use of personal data and government surveillance has become the norm.