Some lower-end Android phones are sending user data to China
In our increasingly connected world, data security is becoming more important than ever. Thanks to the prevalence of mobile devices and online services, our personal data is spread far and wide. Securing user data has been a consistent challenge with Android devices, due mainly to the open source nature of the software. The Stagefright vulnerability exposed close to 1 billion Android devices to malicious attacks before it was discovered last year, and hackers are getting more and more complex in their attacks. Security firm Kryptowire recently discovered that several Android models have firmware that exposes a user’s data without them even knowing it.
Kryptowire didn’t give a list of affected devices, but said they were “available through major US-based online retailers (Amazon, Best Buy, for example) and included popular smartphones such as the BLU R1 HD.” The malicious firmware could transmit user data to a third-party server in Shanghai, China. Data that was sent included the “full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).”
Kryptowire discovered that the firmware “also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.” The user of the mobile device would not see any notification or flag that this activity was occurring and would be completely unaware of the data being captured and sent.
Kryptowire has determined that “the core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices [they] tested and were managed by a company named Shanghai Adups Technology Co. Ltd.” Essentially, Adups updated the firmware of affected devices, exposing the user data therein. Adups’ website touts their global presence, which has over 700 million active users. It could not be determined if all users were exposed to the malicious code, although BLU Products estimates that 120,000 of its phones are affected.
A lawyer representing Adups said that the company made “a mistake,” as the tracking firmware was made for a specific manufacturer in China to track and analyze user data. The firmware was never meant to be released outside of this scope, and certainly not in the United States.
BLU Products CEO Samuel Ohev-Zion said that the firmware “was obviously something that we were not aware of. We moved very quickly to correct it.” The company has since issued an update for the BLU R1 HD that has eliminated the data hole, and has issued a statement saying that all data captured from BLU customers has been deleted and destroyed.
Users who feel their phone may be compromised should contact the manufacturer immediately. The U.S. Department of Homeland Security is working with Kryptowire and other public and private sector contractors to resolve any security concerns.