Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

11/15/2016
04:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Firmware Secretly Sent Text, Call Data On Android Users To China

Several Android models sold in the US likely impacted, says Kryptowire

Several Android smartphone models sold in the US, including via major online retailers like Amazon and BestBuy, had firmware in them that surreptitiously collected and sent detailed personally identifiable information on users and devices to a server based in China.

An employee working for DARPA-funded security firm Kryptowire stumbled upon the issue when using a burner phone from Miami-based BLU Products he had purchased for a trip overseas. When setting up the device, the Kryptowire employee noticed some strange network activity and started poking around.

The investigation led to the discovery of firmware on the phone designed to actively transmit device identifying data and user information, including the complete content of text messages, full contact lists, call history data, and other information to a server based in Shanghai.

The firmware bypassed Android’s permission model and also collected and transmitted information on the use of applications installed on the device, Kryptowire announced in an alert this week. “It executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices,” the security firm said.

Kryptowire’s alert is sure to rekindle memories of a similar episode involving Carrier IQ, a now defunct mobile analytics company that in 2011 got caught in a huge controversy for supposedly collecting and transmitting user and device data to carriers without user consent. Though it later turned out the company was only collecting data for monitoring device and network performance, Carrier IQ’s failure to fully disclose what its software did led to considerable speculation about its motives.

Kryptowire’s analysis of the code and network activity showed that the Adups firmware on some Android devices allowed for remote installation of user applications without any user consent. In some instances, the firmware gathered and relayed what the security firm described as fine-grained location data on the device.

All information that the firmware gathered was encrypted via multiple encryption layers and transmitted via secure web protocols to Shanghai. Collected text messages and call log data were transmitted to China every 72 hours while other personally identifiable information was sent every 24 hours.

Because the firmware shipped with the device, anti-virus tools considered it safe and put it on their application whitelists.

Kryptowire traced the monitoring back to a professional Firmware Over The Air (FOTA) update service called the Shanghai Adups Technology Co., Ltd.

The Chinese company’s website describes it as a leading provider of firmware over the air services for end-to-end mobile device management. Adups claims that more than 400 leading mobile operators, device manufacturers and semiconductor companies currently use its service to deliver firmware updates and device upgrades for their products. Over 700 million mobile phone users in some 200 countries currently have the firmware on their devices.

In a statement responding to Kryptowire’s report, Adups suggested the firmware discovered on the Android phones from Blu was included by mistake and was meant for use only by some specific, unnamed clients.

The customers apparently wanted Adups to provide a way to flag junk texts and calls to users. So the firm developed a customized FOTA application that collected messages and applied backend data analytics to it to identify and flag messages that fit that category. The specialized application, looks for and flags content that has been previously associated with junk messages, Adups said.

In June 2016, the customized firmware inadvertently ended up on devices sold in the US by Blu Products. When Adups learned of the issue it took measures to disable the monitoring functionality and updated the firmware so it is no longer is an issue, the Chinese firm claimed. All text messages, phone logs contact lists, and other data collected and transmitted to Adups has been deleted, the company added.

The New York Times Tuesday quoted Blu Products CEO Samuel Ohev-Zion as saying the company had not been aware of the issue till notified by Kryptowire. Some 120,000 Blu devices were impacted and have now been upgraded so the firmware no longer poses a threat, he said. Adups has assured Blu that all data collected on customers had been destroyed, Ohev-Zion told the Times.

In comments to Dark Reading, Tom Karygiannis, vice president of product at Kryptowire says it is unclear how many Android phones sold in the US have the Adups firmware installed on them. The Kryptowire report is based only on the devices from Blu that the company tested in its labs, he says.

It is not possible to know if Android phones from other vendors are similarly impacted without testing them, he says.

Adups did not immediately respond to a request seeking information on whether Blu was the only Android device vendor in the US that was impacted or if others were as well.

End users cannot easily disable the system applications doing the collecting and sending of device data and PII, Karygiannis says.

“If they were using the devices with the firmware we analyzed, the average consumer wouldn't know and wouldn't have been given the opportunity to review and accept a EULA,” for it, he said.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
scanforsecurity.com
50%
50%
scanforsecurity.com,
User Rank: Apprentice
11/16/2016 | 2:30:10 AM
China is very progressive in cyber security
China is very progressive in cyber security and spying so this is not something new I think. To protect from such activity need to move production of mobile phones on the local market and not outsource it in China :(
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15270
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
CVE-2018-21266
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2018-21267
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2020-27673
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
CVE-2020-27674
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.