The New York Times found a witty way to drop the bombshell revelation that some smartphones have secret “backdoor” programming that spies on users and sends their data to China for purposes unknown.
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.
The phones haven’t been sending just text messages, but also “contact lists, call logs, location information, and other data” to a Chinese server, according to the security firm that found the backdoor, Kryptowire. The malicious code was preinstalled on the phones and completely invisible to users.
It gets worse. According to Kryptowire:
The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information.
Ars Technica states the backdoor code was apparently designed to “help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes.”
Shanghai Adups lawyers insist the data was not collected on behalf of the Chinese government. The volume and nature of the data sent, and the frequency of the transmissions, will doubtless inspire skepticism that it was used solely for targeted advertising.
“BLU Products has identified and has quickly removed a recent security issue caused by a third-party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices. Our customer’s privacy and security are of the upmost (sic) importance and priority. The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information,” said a statement from the company quoted by Fortune.