Cheap Smartphones in the U.S. are Secretly Stealing Your Personal Info and Sending it to China
A tech security firm has discovered that some cheap Android smartphones sold in the U.S. have been extracting users’ personal data and then transmitting them to a China-based company.
Commercial firmware pre-installed on some Android smartphone models sold in the U.S. has been found to be secretly sending highly sensitive data to Shanghai Adups Technology Co. Ltd., a maker of Firmware Over The Air (FOTA) update software systems, TechCrunch reported.
The Chinese company was able to spy on users’ phones through pre-installed commercial firmware, according to security firm Kryptowire. Without the phone users’ knowledge or consent, the firmware collects personal data such as text messages, call logs, contacts, app usage data and location.
Adups, which installed and controlled the firmware, said it was just a mistake that it got installed on phones sold in the US, noting that the phones with such installation are only intended for the local market. It also claimed to have deleted all accidentally harvested data after the fact-finding team reached out to them regarding the findings.
One such phone with the embedded firmware is the BLU R1 HD, which can be bought in many stores and on Amazon.com for just $50. The report, however, which has not released a full list of compromised brands and models.
BLU has since released a statement that its phones are no longer harvesting data. A total of 120,000 BLU smartphones had previously been affected.
Kryptowire explained how the firmware hijacks the smartphone via a press release:
“These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information. The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.”
Kryptoware has also sent the report to the U.S. government, which is now investigating the matter.
Support our Journalism with a Contribution
Many people might not know this, but despite our large and loyal following which we are immensely grateful for, NextShark is still a small bootstrapped startup that runs on no outside funding or loans.
Everything you see today is built on the backs of warriors who have sacrificed opportunities to help give Asians all over the world a bigger voice.
However, we still face many trials and tribulations in our industry, from figuring out the most sustainable business model for independent media companies to facing the current COVID-19 pandemic decimating advertising revenues across the board.
We hope you consider making a contribution so we can continue to provide you with quality content that informs, educates and inspires the Asian community.
Even a $1 contribution goes a long way. Thank you for everyone’s support. We love you all and can’t appreciate you guys enough.