Kryptowire, a US-based mobile products security firm, says that a number of Android phones are sending user data to China, unbeknownst to the device users, and perhaps even unbeknownst to the device vendors. It says that the affected phones used firmware produced by a company called Shanghai Adups Technology Co Ltd (which seems to be called just plain “Adups” in many reports). It is that firmware that is, effectively, “spyware”.
Already a number of phone companies have indicated that their phones are clean. The first to hit gadgetguy.com.au comes from Sam Skontos, the VP and Regional Managing Director, South-East Asia and Pacific, for Alcatel. His statement is blunt:
Alcatel and its parent company, TCT Mobile, has no relationship with Adups and has no such firmware on any of its devices. Further, Alcatel/TCT Mobile conducts their Firmware Over The Air (FOTA) updates through its own inhouse servers, not through third party suppliers.
Skontos sounds furious about the situation, warning that not all Chinese manufacturers are the same, and exhorting customers to take action:
We have seen around the world the potential for everyday consumers to make a difference, from world politics to more everyday matters. They have the opportunity to send a clear message to the companies conducting their business like this.
He notes that regardless of responses to the situation, confidence in the industry must surely be shaken:
This is just another example of how some Chinese manufacturers enter markets, do not disclose this type of activity to anyone including industry stakeholders, show no regard whatsoever for consumer security and privacy laws, until of course they are caught out. Firmware updates may be issued but the damage has been done, and questions need to be asked about why this was on their handsets in the first place.
His whole statement is over the fold if you want to read it.
As usual with this kind of thing, the focus has been on the US and its suppliers. Kryptowire notes that the affected phones were available through such vendors as Amazon and Bestbuy and included popular models in the Unites States, such as the BLU R1 HD. It hasn’t otherwise identified publicly the range of models and brands affected. However, it did say that it “has communicated its findings with respect to the affected devices with Google, Amazon, Adups, and BLU”, so perhaps there aren’t any others.
Other sources say that phone makers ZTE and Huawei have denied that their phones are compromised, as has Google with respect to the Pixel and Nexus models.
(UPDATE: Huawei Australia says: “Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.” In other words, your Australian Huawei phone is not affected.)
So what is this compromised firmware doing? It’s pretty scary, really. It is taking information from the phone and sending back to servers in Shanghai apparently belonging to Adups. The information? “the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)” says Kryptowire. Furthermore, it had the ability to: “target specific users and text messages matching remotely defined keywords”. The term “spyware” is perhaps overused, but this really does look like espionage-style spying. If that’s not enough, the firmware monitored apps and could even get around the low level security functions built into Android in order to reprogram it. Oh, it could install apps on your phone. Says Kryptowire:
The user and device information was collected automatically and transmitted periodically without the users’ consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai.
So why hasn’t security software caught it before now? Unsurprisingly, such software assumes “that software that ships with the device is not malware and thus, it is white-listed”.
Meanwhile the Office of the Australian Information Commissioner issued a very brief statement today on another matter:
I am concerned about allegations that personal information of Australian telecommunication customers is being offered for sale online. My office is making enquiries with Optus, Telstra and Vodafone to determine what further action I may take in this matter.
These allegations, and the community response they have generated, are a reminder that Australian customers expect businesses to handle their personal information in line with Australian law no matter where they operate.
So, how did this information come to be available for sale?
Statement of Sam Skontos, VP and Regional MD South-east Asia and Pacific for Alcatel:
It is a sad day when we are talking about spyware on devices and the fact that some global companies think it’s OK to take security and privacy away from consumers.
This is just another example of how some Chinese manufacturers enter markets, do not disclose this type of activity to anyone including industry stakeholders, show no regard whatsoever for consumer security and privacy laws, until of course they are caught out. Firmware updates may be issued but the damage has been done, and questions need to be asked about why this was on their handsets in the first place.
It proves that consumers are right to be ever-vigilant about their personal information. It’s also an important opportunity for consumers to ask questions, and for all industry stakeholders to do more to ensure consumer privacy is protected above all else. More questions need to be asked, and when these issues are found out, more needs to be done to hold to account companies who deceive consumers.
Do not tar all Chinese companies with the same brush. Alcatel has a significant local presence and works hard to localise every single device. You will not find any such spyware on our devices because we respect our customers and the right to strictly protect their privacy and security.
We have seen around the world the potential for everyday consumers to make a difference, from world politics to more everyday matters. They have the opportunity to send a clear message to the companies conducting their business like this. Consumers should be worried, but they should also be able to more easily identify the manufacturer of their handset, which may be different to the consumer branding on the handset itself.
The responses so far from those companies named in global media reports should only worry consumers and authorities more.
so how do we identify these problem operating systems?
Is there any phone that doesn’t send user’s data to one server or the other in the United States? I see no big deal in this article.