A tech security firm has discovered that some cheap Android smartphones sold in the U.S. have been extracting users’ personal data and then transmitting them to a China-based company.
Commercial firmware pre-installed on some Android smartphone models sold in the U.S. has been found to be secretly sending highly sensitive data to Shanghai Adups Technology Co. Ltd., a maker of Firmware Over The Air (FOTA) update software systems, TechCrunch reported.
The Chinese company was able to spy on users’ phones through pre-installed commercial firmware, according to security firm Kryptowire. Without the phone users’ knowledge or consent, the firmware collects personal data such as text messages, call logs, contacts, app usage data and location.
Adups, which installed and controlled the firmware, said it was just a mistake that it got installed on phones sold in the US, noting that the phones with such installation are only intended for the local market. It also claimed to have deleted all accidentally harvested data after the fact-finding team reached out to them regarding the findings.
One such phone with the embedded firmware is the BLU R1 HD, which can be bought in many stores and on Amazon.com for just $50. The report, however, which has not released a full list of compromised brands and models.
BLU has since released a statement that its phones are no longer harvesting data. A total of 120,000 BLU smartphones had previously been affected.
Kryptowire explained how the firmware hijacks the smartphone via a press release:
“These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information. The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.”
Kryptoware has also sent the report to the U.S. government, which is now investigating the matter.