Android Firmware ‘Mistakenly’ Sends User Data To China

A number of Android smartphones included firmware that sends detailed user information to servers in Shanghai, researchers have found.

The handsets, including low-end devices sold online by Amazon and Best Buy, transmitted data including the full body of text messages, contact lists, call history with telephone numbers, unique device identifiers and other data to servers owned by the firmware’s maker, Shanghai AdUps Technology, according to Kryptowire.

‘Transparency needed’

“As smartphones are ubiquitous and, in many cases, a business necessity, our findings underscore the need for more transparency at every stage of the supply chain,” the firm said in an advisory.

The devices affected include the BLU R1 HD, a popular device marketed by Amazon in the US, Kryptowire said.

AdUps said it designed the firmware for Chinese phone manufacturers and carriers to help them track customer behaviour for advertising purposes. The code is built into models sold by Huawei, ZTE and others intended for the Chinese market, and was included in the BLU devices by mistake, the company said.

BLU is a Miami-based company that has sold low-end devices in the Americas for decades and has recently expanded its US operations.

An attorney for AdUps told the New York Times the data was not being collected for the Chinese government, stating AdUps was “a private company that made a mistake”.

Detailed data

The data was sent in JavaScript Object Notation (JSON) format to a number of servers, all containing the term “bigdata”, and the firmware included tools allowing the identification of specific users and text messages matching remotely defined keywords.

It collected and transmitted details about the use of applications, executed remote commands with system-level privileges and had the capability to remotely reprogram devices.

Text message and call log data were sent to the server every 72 hours, with information including location and app use details sent every 24 hours.

BLU said in a statement the backdoor affected only a “limited number” of its devices, and said those devices have since been updated to remove the functionality.

The company told the Times about 120,000 devices were affected.

UPDATE: Huawei has denied its handsets used the firmware

“We take our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security,” a spokesperson told TechWeekEurope. “The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.”

Quiz: What do you know about Chinese IT?

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

6 hours ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

8 hours ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

9 hours ago

UK Government Launch AI Safety Platform For Businesses

New AI assurance platform from UK government will help businesses ensure they can safely develop…

9 hours ago

Australia Plans Social Media Ban For Children Under 16

Protecting kids? Australian government confirms plan to implement restriction on social media for children under…

11 hours ago

Canada Orders Shutdown Of TikTok’s Canadian Business

Canada ordered China's TikTok business in the country to be dissolved over national security risks,…

13 hours ago