Backdoor on budget phones are sending data back to China

[Guest]

Budget phones are seeing popularity given the amount of features and performance most of them are starting to bring though compromise is necessary

One compromise would be software with most phones containing bloatware; a report by Kryptowire, Homeland Security contractor, shows that it also carries a backdoor

 

Quote

Software installed on some Android phones secretly monitored users, and even sent keyword-searchable, full text message archives to a Chinese server every 72 hours, according to research from security firm Kryptowire. The software, which also tracked users’ location data and call logs, was written by the Chinese company Shanghai Adups Technology Company, but its purposes — state surveillance or advertising — are unknown. “This isn’t a vulnerability, it’s a feature,” Kryptowire vice president of product Tom Karygiannis told The Verge.

 

There are currently hundreds of millions of affected phones, and most of them seem to be coming from, well, China

Quote

Adups claims to have software running on more than 700 million, mostly low-end devices, and says it has partnered with some major manufacturers like Huawei and ZTE, but the scope of the installed software is also unclear. (Huawei and ZTE did not immediately respond to a request for comment.) At least one US manufacturer, BLU Products, was affected, with 120,000 phones found running the tracking software. The company told the Times it has since removed it.

 

I don't personally own a "budget" phone, but I do see why many people buy it, in fact I sometimes want to jump on getting one

I honestly think that most manufacturers do the practice though I am not quite sure how large of a scope it is compared to the aforementioned issue with budget phones

 

Source: The Verge, New York Times

[Jonathan W]

1 minute ago, DatSpeed said:

Budget phones are seeing popularity given the amount of features and performance most of them are starting to bring though compromise is necessary

One compromise would be software with most phones containing bloatware; a report by Kryptowire, Homeland Security contractor, shows that it also carries a backdoor

I'm curious as to how and why they figured out this "feature" and if Huawai and ZTE are in the clear, why they havent said anything about it yet

[danomicar]

What could they be doing with all that data? And also, don't major phone companies collect similar information from their users?

[Spork829]

What "budget" phone manufacturers, specifically? Do we know?

[Guest]

2 minutes ago, Jonathan W said:

I'm curious as to how and why they figured out this "feature" and if Huawai and ZTE are in the clear, why they havent said anything about it yet

Kryptowire tests most of the phones that go through the Homeland Agency, and one of the researchers used a BLU R1 HD and noticed that it had some unusual network activity when booting up [Source: New York Times]

[Guest]

Just now, Spork829 said:

What "budget" phone manufacturers, specifically? Do we know?

Quote

Adups claims to have software running on more than 700 million, mostly low-end devices, and says it has partnered with some major manufacturers like Huawei and ZTE, but the scope of the installed software is also unclear. (Huawei and ZTE did not immediately respond to a request for comment.) At least one US manufacturer, BLU Products, was affected, with 120,000 phones found running the tracking software. The company told the Times it has since removed it.

 

[Tech_Dreamer]

watch out NSA, you got competition!

[SCHISCHKA]

I'm not in USA or China but I believe in equality. I believe that if the spies in the five-eyes network can see what Im doing then it's only fair that the chinese get to see it too.

[Spork829]

4 minutes ago, DatSpeed said:

<snip>

Yep, I figured BLU would be involved. Huawei and ZTE are a little more surprising. Sounds to me like they might not have had much of a choice - just a thought.

[tlink]

1 hour ago, DatSpeed said:

Budget phones are seeing popularity given the amount of features and performance most of them are starting to bring though compromise is necessary

One compromise would be software with most phones containing bloatware; a report by Kryptowire, Homeland Security contractor, shows that it also carries a backdoor

 

 

There are currently hundreds of millions of affected phones, and most of them seem to be coming from, well, China

 

I don't personally own a "budget" phone, but I do see why many people buy it, in fact I sometimes want to jump on getting one

I honestly think that most manufacturers do the practice though I am not quite sure how large of a scope it is compared to the aforementioned issue with budget phones

 

Source: The Verge, New York Times

this is why you flash custom rom's kids.

[atrash]

1 hour ago, tlink said:

this is why you flash custom rom's kids.

because custom ROM is available to all the android phones out there and everyone knows how to do it...oh wait.

[tlink]

16 minutes ago, atrash said:

because custom ROM is available to all the android phones out there and everyone knows how to do it...oh wait.

if your phone doesn't have custom ROM's then you chose the wrong phone :P. and flashing roms is not the part thats hard, its dealing with the manufacturers bullshit that's hard. i bought my oneplus 2 because they encourage rooting and unlocking the bootloader. their custom rom support is amazing.

[0ld_Chicken]

Oh man, I'm always buying budget smartphones. They're dirt cheap (40$ no contact) and I don't have to worry about losing/breaking them at work.  Sure they're slow and crappy, but it's just a phone.

 

 I usually stick with lg though, hopefully they aren't affected/participating

 

Written from my shitty smartphone

[Jovidah]

Sadly not very surprising. Over the years there have been more reports about Chinese produced components (even if produced to specs for a customer) leaving the factory with hardware backdoors built into them.

 

If (industrional) espionage or security is a serious consideration for you, I'd recommend choosing your product in such a way that they do not contain a single component made in China.

[Jovidah]

5 hours ago, tlink said:

this is why you flash custom rom's kids.

That won't do a thing against hardware backdoors. 

If you're concerned enough to flash your ROM to protect against this thing, it simply isn't the solution. Any electronics produced in China should be ipso facto considered as compromised.

[Centurius]

3 hours ago, 0ld_Chicken said:

Oh man, I'm always buying budget smartphones. They're dirt cheap (40$ no contact) and I don't have to worry about losing/breaking them at work.  Sure they're slow and crappy, but it's just a phone.

 

 I usually stick with lg though, hopefully they aren't affected/participating

 

Written from my shitty smartphone

LG is South Korean so I highly doubt they're sending stuff to the Chinese.

[VerticalDiscussions]

Wonder if Meizu, Oppo, Elephone, Oukitel, UMI, Xiaomi, etc arent involved too eh? Heck, what if even OnePlus is doing this .----.?

[SansVarnic]

k

 

[0ld_Chicken]

12 minutes ago, Centurius said:

LG is South Korean so I highly doubt they're sending stuff to the Chinese.

Good to know! 

[tlink]

46 minutes ago, Jovidah said:

That won't do a thing against hardware backdoors. 

If you're concerned enough to flash your ROM to protect against this thing, it simply isn't the solution. Any electronics produced in China should be ipso facto considered as compromised.

why everything from china? if you're going that road you can just include every piece of hardware you buy.

[Magnetorheological]

I'm using a Xiaomi Redmi Note 4 right now... I'm screwed.

[Jovidah]

18 minutes ago, tlink said:

why everything from china? if you're going that road you can just include every piece of hardware you buy.

If you're concerned about security (for example due to the risk of industrial espionage, or for defense applications), you very well should. Every piece of hardware in the entire chain. Or keep it entirely disconnected from the internet on a seperate network (but that's not possible with a communication device like a mobile phone).

It's for very good reasons that military headquarters no longer allow people to bring phones inside, and are still using ancient Nokia-type dumb phones for internal usage as service phones. 

 

This is far from the first time something like this happens. It has been reported time after time over the last 10 years. There was even an example of some stuff produced for the US military that showed hardware backdoors when scanned the chips with special hardware.

 

Simply put, the Chinese government has been proven to be more than willing to implement these kind of things. They simply see their electronics manufacturing industry as a way to get ahead in the cyberwarfare department. Manufacturers might comply willingly or might be forced, but there really is no way of knowing. For all we know they are simply subsidized from the cyberwarfare budget just so they can be so damn cheap (and succesful).

 

Switching to a different brand of phone doesn't necessarily 'fix' the problem, considering many of them might contain subcomponents that are made in China - and thus might prove to be a weak link.

[deviant88]

i can tell you that Xiaomi is one of them, my xiaomi mi4c came with bloat installled that was unremovable, i was looking for a phone that can run Cyanogen anyway so i formatted everything right from the get go, miui 7 sucks anyway

[tlink]

32 minutes ago, Jovidah said:

If you're concerned about security (for example due to the risk of industrial espionage, or for defense applications), you very well should. Every piece of hardware in the entire chain. Or keep it entirely disconnected from the internet on a seperate network (but that's not possible with a communication device like a mobile phone).

It's for very good reasons that military headquarters no longer allow people to bring phones inside, and are still using ancient Nokia-type dumb phones for internal usage as service phones. 

 

This is far from the first time something like this happens. It has been reported time after time over the last 10 years. There was even an example of some stuff produced for the US military that showed hardware backdoors when scanned the chips with special hardware.

 

Simply put, the Chinese government has been proven to be more than willing to implement these kind of things. They simply see their electronics manufacturing industry as a way to get ahead in the cyberwarfare department. Manufacturers might comply willingly or might be forced, but there really is no way of knowing. For all we know they are simply subsidized from the cyberwarfare budget just so they can be so damn cheap (and succesful).

 

Switching to a different brand of phone doesn't necessarily 'fix' the problem, considering many of them might contain subcomponents that are made in China - and thus might prove to be a weak link.

but didn't the NSA do stuff like this too a lot? like literally put chips(cottonmouth) in USB and RJ45 ports as backdoors? that was more my point, its not just the chinese doing this on an industrial scale. 

[Jovidah]

Just now, tlink said:

but didn't the NSA do stuff like this too a lot? like literally put chips(cottonmouth) in USB and RJ45 ports as backdoors? that was more my point, its not just the chinese doing this on an industrial scale. 

Well there's a pretty good chance they're doing some of it too, although to my (limited) knowledge the western agencies have focused more energy at the internet nodes.

 

They have however been far more reluctant to abuse that power for rather mundane stuff like industrial espionage or other peacetime uses. So a lot of this was targetted at intercepting potential terrorist communications and that sort of thing. Although most of them have wisened up and returned to old-fashioned non-electronic means of communication once they realized their vulnerability. OBL's paranoia in that regard certainly helped lengthen his lifespan.

 

If you truly want certain digital data to be 'secure', the only solution is to have no outside connection.

For most consumers, I suppose this Chinese stuff isn't really any more problematic than the US stuff. They don't care about your naked pictures, your secret closet fetish for japanese manga, your e-cheating on your wife or any other private stuff. Unless you're in a position of either power or knowledge, where they can use it to blackmail you, or simply get the data directly. Government employees, government (sub-)contractors and high-tech firms are really the ones at risk here.