According to a New York Times report, certain budget smartphones in the US have been found to be secretly sending users’ personal data to a third-party company in China. The discovery was made by security firm Kryptowire, a Homeland Security contractor who analyzed phones outside of their contract.
The culprit, according to the security firm, was pre-installed software in Android phones. The software transmitted sensitive data such as full-text messages, call logs, contacts, app usage data and even the user’s GPS location. The data was sent to third-party Chinese servers.
“This isn’t a vulnerability, it’s a feature,” Kryptowire VP of Product Tom Karygiannis told The Verge. Kryptowire made its findings public on Tuesday, informing the US government through a detailed report.
The software was written by Chinese firm Shanghai Adups Technology Company. The company claims to have software running on more than 700 million phones, mostly of the budget variety. Adups has also partnered with globally-known device manufacturers like Huawei and ZTE.
As of Kryptowire’s report, at least one manufacturer, Florida-based BLU Products has been affected by the spyware, with around 120 thousand phones in circulation running the software.
“BLU Products has identified and has quickly removed a recent security issue caused by a third party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices,” the company said in a statement.
Adups told the New York Times that the software was “not meant for US phones.” The functionality, according to the software company, was “built at the request of an unidentified Chinese client who intended it to be used to combat spam text messages and for customer support.”
Here’s the technical jargon from Kryptowire detailing their findings:
These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information. The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
Kryptowire is expecting more manufacturers to be affected by the particular issue. As of the moment, a full list of afflicted devices is not yet available.