Numerous low-cost Android phones are believed to come with a secret backdoor, which was found to have sent massive amounts of user data to China. The Chinese firm Shanghai Adups Technology Company was found to have intentionally pre-loaded phones with a secret backdoor-laced firmware, which sent users' location, text messages, phone IMEI and call records to servers in China every 72 hours, according to reports.
Adups claims that its code runs on over 700 million Android phones, cars and other smart devices. According to security firm Kryptowire, several Android phone models that came with the backdoor-laced firmware were found available for sale from online retailers such as Amazon and BestBuy. US-based phone manufacturer BLU Products confirmed that 120,000 of its phones had been affected, adding that it has since updated its phones' software to remove the feature, the New York Times reported.
"It was obviously something that we were not aware of. We moved very quickly to correct it," said Samuel Ohev-Zion, CEO of BLU Products.
The firmware allowed remote installation of applications without the users consent. Additionally, it could identify "specific users and text messages matching remotely defined keywords". The software also obtained and transmitted data about the kinds of apps used and came with the ability to bypass the Android permission model. Kryptowire highlighted that the firmware "executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."
Kryptowire VP said that Adups' code comes pre-installed in phones and its surveillance capabilities are not disclosed to users. "Even if you wanted to, you wouldn't have known about it," he said. The code was reportedly intentionally installed onto devices. According to the report, Adups specifically designed the software for a Chinese phone manufacturer to track user behaviour. The firm however said that the software was not intended to be used in American phones.
"This is a private company that made a mistake," said Lily Lim, a lawyer representing Adups. The software was reportedly created at the request of an unspecified Chinese manufacturer. According to Adups the Chinese firm used the data for customer support. Lim added that the software was intended to help the Chinese firm identify junk text messages and calls. "Adups was just there to provide functionality that the phone distributor asked for," she said.
According to US authorities, it is still unclear whether the matter relates to secretive data mining for advertising purposes or a more sinister approach of the Chinese government to obtain intelligence. A spokesperson for the Department of Homeland Security, Marsha Catron, said that the agency "was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies."
A spokesperson for Amazon told Motherboard, "We recently learned of a security issue on select BLU phones, some of which are sold on Amazon.com. The manufacturer, BLU Products, has confirmed they sent a software update to resolve the issue on impacted phones.
"Because security and privacy are of the utmost importance, all impacted phone models were immediately made unavailable for purchase on Amazon.com. Now that the issue has been resolved, we're working to make these phones available to Amazon.com customers again," the spokesperson said.