Security firm Kryptowire recently discovered that some Android smartphones have a backdoor that secretly sends data to China, reports the NY Times. Maybe even more concerning, American phone maker BLU Products said that 120,000 of its phones were found to have the backdoor installed in its software, which has since been updated to remove all track of that secret backdoor.
The software at fault comes from Shanghai Adups Technology Company, a Chinese company that provides Android-based software to electronics manufacturers. That software is used by various electronics companies in more 700 million phones, cars and other smart devices.
The backdoor was designed to transmit contents of text messages, contacts, call logs, location data, and much more to a Chinese server, without the user consent.
In a report published on its website, Kryptowire further explains that “The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.”
Adups says the software was designed to help one of its unidentified Chinese customers monitor user behavior for some phones in China, but it is unclear how that software was released on a broader scale and reached the US, which Adups says was unintentional.
This situation can also raise concerns as to who that unidentified customer who asked for this secret backdoor may be. Considering the state of human rights and privacy in China, it is not a far fetch to think the government could be involved in the development and distribution of this software.
American authorities have been alerted of the situation and are still evaluating whether this backdoor was indeed here for advertising purposes or as part of a larger Chinese government effort to collect data and intelligence.
Android is of course a Google software and while the company is not at fault at all here, it is hard not to see the limitations of the “open” Android model that is subject to that kind of abuse. Google has told Adups to remove the surveillance tools from devices that run services such as the Google Play Store.
Because Adups has not provided a list of affected devices, users can’t find out whether or not their devices are vulnerable at this time.