Secret backdoor found on hundreds of thousands of Android phones

[Nowak]

http://arstechnica.com/security/2016/11/chinese-company-installed-secret-backdoor-on-hundreds-of-thousands-of-phones/

 

Just in case you thought your smartphone was private, think again!

Quote

Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used.

But why is this data being collected? Advertising, what else would it be used for?

 

Quote

The company, Shanghai AdUps Technologies, had apparently designed the backdoor to help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes. AdUps claims its software runs updates for more than 700 million devices worldwide, including smartphones, tablets, and automobile entertainment systems. It is installed on smartphones from Huawei and ZTE sold in China.

However, even though it was primarily found on Huawei and ZTE devices, it's also been found on BLU Products phones - even though BLU is an American company.

 

Quote

The backdoor was part of the commercial Firmware Over The Air (FOTA) update software installed on BLU Android devices provided as a service to BLU by AdUps.

But of course, they're completely innocent and this isn't being done for the Chinese government.

Quote

A lawyer for the company told The New York Times that the data was not being collected for the Chinese government, stating, “This is a private company that made a mistake.”

 

A listing of everything transmitted by the phones:

Quote

These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices... The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information.

And how the data is transmitted:

 

Quote

The user data was sent in JavaScript Object Notation (JSON) format to a number of servers, all with the hostname bigdata: bigdata.adups.com, bigdata.adsunflower.com, bigdata.adfuture.cn, and bigdata.advmob.cn. The data collection and transmission capability is spread across different applications and files. Text message data (encrypted with DES, which Kryptowire researchers were able to recover the key for) and call log information were sent back every 72 hours. Other data, including location data and app use, was sent every 24 hours.

So, those cheap Android phones from China still seem good to you? Or is your privacy more important than saving a couple hundred bucks on a phone?

[TidaLWaveZ]

ICYMI

 

 

[MANIDY inc]

BLU is trash to begin with

[MSWindowsinside]

RIP

 

Glad I went for a Windows Phone  

[PocketNerd]

7 minutes ago, MSWindowsinside said:

RIP

 

Glad I went for a Windows Phone  

I don't think you realize the irony of what you just posted...

You're still sending data, just to M$

[BroliviaWilde]

This appears to be a repost:
 

 

[The_Denks]

15 minutes ago, PocketNerd said:

I don't think you realize the irony of what you just posted...

You're still sending data, just to M$

At least MS uses it for good purposes.

Not some shady un-encrypted chinese servers without your permission

[PocketNerd]

10 minutes ago, UberGamerKing said:

At least MS uses it for good purposes.

Not some shady un-encrypted chinese servers without your permission

Define "good purposes"

Cause depending on who you ask, no purpose is a good purpose.

[BlueChinchillaEatingDorito]

Just now, PocketNerd said:

Define "good purposes"

Cause depending on who you ask, no purpose is a good purpose.

Pretty much every service you use on your phone, data is being collected. This isn't new.

[The_Denks]

2 minutes ago, Wikiforce said:

You not aware of their involvement with NSA  

I am, but there is nothing wrong with giving small amounts of data to the NSA.

Microsoft doesnt provided your texts or emails to the NSA, the mobile carriers do that.

 

Microsoft provides the following 2 tiny amounts of data to the NSA:

The email address registered to the phone

When the phone is turned on/off

 

The first one, the phone carriers could do themselves, as they have your phone number and email adress

The second, well who cares if the NSA knows when your phone is turned off/on. not like that makes any difference

[suicidalfranco]

21 minutes ago, UberGamerKing said:

At least MS uses it for good purposes.

Not some shady un-encrypted chinese servers without your permission

"good purposes"

[laminutederire]

45 minutes ago, PocketNerd said:

I don't think you realize the irony of what you just posted...

You're still sending data, just to M$

In Microsoft case it's a golden huge front door with cash on it

[Yoinkerman]

Lets be real.  Expensive phones are likely transmitting stuff too.  Maybe not to the same servers, but don't be a fool.  They all want your data

[Nowak]

1 hour ago, TidaLWaveZ said:

ICYMI

 

 

 

1 hour ago, BroliviaWilde said:

This appears to be a repost:
 

 

Didn't notice. Was in a rush to get out the door and I really wanted to get something posted, so... ¯\_(ツ)_/¯

[PocketNerd]

2 hours ago, BlueChinchillaEatingDorito said:

Pretty much every service you use on your phone, data is being collected. This isn't new.

Right, but we're usually told pretty clearly as to why, and we can opt into or out of it.

In the case of Windows, most people have no choice as they need to use it for Work.

[BlueChinchillaEatingDorito]

4 hours ago, PocketNerd said:

Right, but we're usually told pretty clearly as to why, and we can opt into or out of it.

In the case of Windows, most people have no choice as they need to use it for Work.

 

Can opt into or out of it? Well not really. It'll usually be in the EULA and realistically the only way to fully "opt out" is not straight up uninstall the app.

 

[captain_to_fire]

11 hours ago, Daring said:

So, those cheap Android phones from China still seem good to you? Or is your privacy more important than saving a couple hundred bucks on a phone?

Even back then, cheap Android phones didn't appeal to me because I was concerned of tanking performance on basic tasks (constant stuttering and frequent lagging) so nope. Ain't gonna buy those Chinese Android phones.

 

 I'm wondering if they've done a similar test with high end Android phones. I'm looking forward for a LG V20.

[Coaxialgamer]

If i were to get one of those cheap Chinese phones i would probably install a custom rom anyway . . .  Tgeir android skins are often terrible 

[jagdtigger]

23 hours ago, UberGamerKing said:

At least MS uses it for good purposes.

Not some shady un-encrypted chinese servers without your permission

MS does the same thing, because even if you try to disable it it still sends the data. Without your permission!

[Jovidah]

9 hours ago, Coaxialgamer said:

If i were to get one of those cheap Chinese phones i would probably install a custom rom anyway . . .  Tgeir android skins are often terrible 

As I said in the other thread, that's pretty damn useless, considering the likelihood of hardware backdoors being present.

And that's for all Chinese produced hardware, not just specific brands. I would be surprised if the Oneplus was any different.