More than 700m smartphones around the world may be compromised by a firmware vulnerability that sends personal data, including texts, to China.
Unlocked, low-cost smartphones widely available in the US and Latin America have been discovered to have backdoors that monitor users and send their messages to China every 72 hours.
More than 700m devices may be affected.
Mobile data security player Kryptowire has identified several models of Android mobile devices that contained firmware, which collected sensitive personal data about their users and transmitted this data to third-party servers without disclosure or the users’ consent.
The discovery should prompt a serious debate about vulnerabilities in the Android device manufacturing supply chain, and how hackers can infiltrate by loading malware onto firmware in semiconductors used in handsets.
The devices, such as the BLU R1 HD, were available through US-based online retailers including Amazon and Best Buy.
‘Adups claimed on its website to have a worldwide presence with over 700m active users, and a market share exceeding 70pc across over 150 countries’
“These devices actively transmitted user and device information including the full body of text messages, contact lists, call history with full telephone numbers [and] unique device identifiers, including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI),” Kryptowire said.
“The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.”
Fine grain location data from Android devices shipped to Shanghai
After analysing the firmware, Kryptowire said data that included fine grain location information was encrypted, and then transmitted over secure web protocols to a server located in Shanghai.
“The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested, and managed by a company named Shanghai Adups Technology Co Ltd,” Kryptowire said.
The frightening thing is how many smartphones and internet of things devices may be affected by the firmware backdoor.
“In September 2016, Adups claimed on its website to have a worldwide presence with over 700m active users, and a market share exceeding 70pc across over 150 countries and regions, with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami.
“The Adups website also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors and device manufacturers – spanning from wearable and mobile devices to cars and televisions.”
Kryptowire found that one of the bestselling Android devices available on Amazon and Best Buy would transmit the body of a user’s text messages and call logs to a server in Shanghai.
The data transmission occurred every 72 hours for messages and call log information, and every 24 hours for other personally identifiable information.
“As smartphones are ubiquitous and, in many cases, a business necessity, our findings underscore the need for more transparency at every stage of the supply chain and increased consumer awareness,” Kryptowire said.