A previously unknown backdoor built into Android firmware has been secretly monitoring the personal communications information of over 700 million device owners worldwide and sending it to server in China, according to security researchers.
This dubious software feature, discovered by security company Kryptowire, documents all call and location logs as well as a fully searchable text message archive and contact list from each phone. Then, every 72 hours, the firmware sends all collected data to a the company that wrote the software, Shanghai Adups Technology.
The spyware was found by accident when a Kryptowire employee noticed strange network traffic occurring on a handset he had purchased for travel. As his team looked closer at the phone, they discovered that the firmware was effectively spyware.
“The user and device information was collected automatically and transmitted periodically without the users’ consent or knowledge… [the feature] cannot be disabled by the end user,” researchers explained in a blog post. “… This behavior bypasses the detection of mobile antivirus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.”
The software is mostly installed on budget Android phones, and Shanghai Adups boast contracts with Huawei and ZTE. One U.S manufacturer has been affected so far, BLU products, and was found mainly on devices sold through online retailers like Amazon.
There are many mobile phone applications and software features that collect user data, often to sell to advertisers and other third parties. It is a legal requirement that these companies inform users and have them sign an agreement-usually on installation.
Shanghai Adups’ firmware was pre-installed and made no mention of its monitoring capabilities. Even more sinister, Shanghai Adups’ product can identify a specific phone and its location then enable the remote installation of other apps and control operations on the target handset from anywhere in the world.
As the New York Times reported on Wednesday, Shanghai Adups did not intend for the firmware to find its way onto American phones and claims to have since deleted data collected from BLU handsets. The company also insisted that the collected data had not been passed on to any other party. Still, the question remains as to the purpose of this kind of feature at all.
It’s impossible to say at this stage why the tracking software was collecting such an extensive amount of personal information. The discovery exposes a serious breach of user privacy.
Shanghai Adups are not formally affiliated with the Chinese government, but U.S government officials are particularly rattled and have not ruled out that the firmware’s purpose was surveillance.