The last thing you want your smartphone doing is sending your text messages, contacts, and location history to a server in China. But according to mobile security firm Kryptowire, a particularly nasty brand of Android software did just that, transmitting text, data, call, location, and app data to a Chinese server every 72 hours.
The code, which came preinstalled on certain Android devices, sent the data surreptitiously. “Even if you wanted to, you wouldn’t have known about it,” Kryptowire vice president of product Tom Karygiannis told The New York Times.
A subsequent investigation conducted by mobile security researchers at Trustlook found that as many as 43 manufacturers, including brands like Lenovo and Gionee, contained similar spyware. According to a the firm’s report, Adups’ software collects serial numbers, software version numbers, operator information, and texting and call data from infected phones; the company found traces in All Win Tech smartphones in Taiwan, Archos devices in France, DEXP phones in Russia, and Prestigio hardaware in the Czech Republic.
Here’s a list of affected manufacturers:
The spyware the product of Chinese firm Shanghai Adups Technology Company, and it targeted more than 700 million low-end Android devices. Adups said it worked with phone makers like Huawei and ZTE to develop the tool to monitor user behavior — ostensibly to identify junk text messages and calls.
But the software was never intended for American phones. An apparent bug caused more than 120,000 phones sold by Florida-based handset company Blu to become infected with the Adups tool. “Blu products has identified and has quickly removed a recent security issue caused by a third-party application which has been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of Blu mobile devices,” a spokesperson for the company said.
In Blu’s case, the malware appears to have originated from a seemingly innocuous support app. Adups provides a utility that manufacturers use to perform remote firmware updates. “It was obviously something that we were not aware of,” Samuel Ohev-Zion, Blu’s chief executive, told The New York Times.
Blu claims Adups disregarded its request not to mine users’ data. “We have an email history with Adups saying we did not want that functionality on our devices, and they violated our request,” Ohev-Zion told PCMag. The company has retained the services of Kryptowire to “keep tabs” on its software for a year, and has partnered with chipmaker MediaTek to ensure its phones receive up-to-date, “clean” versions of Android.
Adups said that it had destroyed all information collected from Blu phones. “Today there is no Blu device that is collecting that information,” Ohev-Zion said.
It is not the first time Adups have raised the ire of an American tech giant. Google, Android’s primary developer, instructed the Chinese firm to remove its surveillance tools from phones that shipped with the Google Play Store.
It is unclear which devices are vulnerable. So far, the company has declined to publish a list of affected phones and it said that there was not an easy way for customers to determine whether or not their devices contained Adups’ monitoring software. A representative for the company told The New York Times that it was incumbent on phone manufacturers, not Adups, to inform users that their personal information was being collected.
ZTE USA released a statement to press in November. “We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not,” it said. “ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.”
The United States Department of Homeland Security is expected to publish a report on the incident. Kryptowire, an agency contractor, provided its findings to the department prior to publication. “[The agency] was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies,” a spokesperson for Homeland Security told The New York Times.
Article originally published in November 2016. Updated on 12-21-2016 by Kyle Wiggers: Added notes from Trustlook investigation.