Backdoor in some Android phones caught secretly sending data to China

Shanghai surprise.

Backdoor in some Android phones secretly sending data to China

You might be wrong to assume that when you buy a shiny new Android phone that there's nothing malicious on it.

Researchers at Kryptowire claim that several Android smartphones sold through major retailers like BestBuy and Amazon have firmware pre-installed on them which transmits sensitive information to third-party servers in China, without the owner's knowledge or consent.

Affected handsets include the BLU R1 HD, which ships with firmware developers by Shanghai Adups Technology Co. Ltd. Selling for about $60 on Amazon, the unlocked BLU R1 HD Android smartphone is unsurprisingly a big seller.

However, the researchers discovered that personal information was being collected by Adups software every 24 hours from the phones and transmitted in encrypted form to servers in Shanghai. Furthermore, some phones were transmitting call logs and the content of text messages every 72 hours.

The data collection could not be disabled by the end user.

BLU has responded to Kryptowire's advisory by publishing its own security notice to customers:

Blu security notice

BLU Products has identified and has quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices.

Our customer’s privacy and security are of the upmost importance and priority.

The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.

BLU's advisory says that its R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond models are impacted and goes on to describe how handset owners can confirm if their device is affected or not.

Even if BLU has resolved the issue, it doesn't seem to have apologised to affected users or done anything to explain just why its phones were collecting sensitive personal information about its customers and their communications.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

2 Responses

  1. Dean

    November 16, 2016 at 2:06 pm #

    Almost related. Just purchased cctv system sannce made in China and since getting iPhone app, have been getting dodgy requests in Chinese to share picture albums on my phone and calendar dates added asking to accept. Dug a little deeper and found what looks like Chinese spam website address

  2. hya

    January 23, 2017 at 1:03 am #

    Hi,
    I think this issue could be resolved with a rooting… at least I do it to rescue our Lead device, I rooted LEAGOO Lead 5 that has been affected by this backdoor.

    I rooted the phone with KingRoot (from Shanghai :D) and delete main infection that is related to the FOTAProvider via Sophos Security (From London :D).
    After 48hrs there is not any new infected downloaded files by FOTAProvider.

    Seems that FOTAProvider download infected random tools from specific servers and collected data sent back to specific servers.
    I decided to upgrade a Android One project's device for more up to date device!!

    Kind regards
    hya

Leave a Reply