A security firm claims it has found mobile phone firmware on smartphones being sold in the US that transmitted personally identifiable information (PII) to servers in China via a back door. Several such reports have emerged over the years, and conspiracy theories usually point to the Chinese government being the ultimate beneficiary of the data. The software company in question – Shanghai Adups Technology – however claims that this is not the case, and that the software meant for a Chinese manufacturer was mistakenly included in US devices.
Security firm Kryptowire says it has found several models of Android smartphones being sold through US retailers like Amazon and Best Buy that contained the contentious firmware. These models included the Blu R1 HD, which gained popularity due to its very low price of $50 (subsidised by ads) and was sold exclusively through Amazon. The common denominator between the smartphones was the presence of commercial Firmware Over The Air (FOTA) made by Adups, a back door found to be collecting and transmitting sensitive data to its servers in China, apart from having the ability to executive remote commands with escalated privileges and the ability to reprogram devices.
Information that was collected and transmitted included the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) from a user’s phone. In some versions of the software, it even included fine-grained location. This transfer was happening without any initiation to the customer. Notably, even anti-virus and other security software on phones were not able to discover the threat, as they normally disregard software already bundled on the phone by the smartphone manufacturer.
As mentioned, the software was spotted in the Blu R1 HD smartphone, and Kryptowire informed Google, Amazon, Blu, and Adups of the issue. Both Blu and Amazon were fast to react to the issue. Blu has issued a software update that will apparently fix the ‘potential security issue’, which is said to affect 120,000 of its devices. Furthermore, the Blu R1 HD, which was being sold on Amazon exclusively, is no longer listed on the website as well. Amazon is also informing users that their smartphones will receive an update.
AdUps itself has defended itself and its intentions, saying the data is not linked to the Chinese government. According to a document provided by Adups to Blu to explain the issue, and obtained by the New York Times, the company said the version of the software that collected and transmitted information was meant for certain Chinese manufacturer that wanted to monitor user behaviour. It was not meant for smartphones in the US. “This is a private company that made a mistake,” the company’s lawyer told NYT.
Adups claims that its software is present in over than 700 million devices in 200 countries, including smartphones made by Huawei and ZTE. Its service portfolio includes smartphones, tablets, and automobile entertainment systems.
While both Adups and Blu have acknowledged the issue, there is the possibility such a back door continues to exist in other smartphones using versions of the FOTA software. If you’d like to check if your smartphone is affected, look for these apk files on your smartphone – com.adups.fota and com.adups.fota.sysoper.