A Chinese company has been caught pre-loading Android phones with software that sends peoples' text messages, location information, and call records to a Chinese server, The New York Times reports. Shanghai Adups Technology Company, otherwise known as Adups, says its code runs on over 700 million phones, although the scale of this particular issue is unknown.
But mobile security researchers say they already confronted Adups, and warned vendors who sold its products, about the backdoors over the last few years, to little avail.
"We tried very hard to contact Adups multiple times," Tim Strazzere, a mobile security researcher, told Motherboard in an email. "After almost months they finally responded, yet I've only ever seen one device receive an update. They claim to fix things, but say the downstream manufacturers don't want to push the updates," he continued.
According to The New York Times report, security firm Kryptowire recently found the suspicious activity with a phone that used Adups' code, after one of the company's employees bought a cheap phone, the BLU R1 HD, for travel overseas. The researcher noticed unusual network activity, and then found the phone was sending text messages to a Shanghai-based server registered to Adups.
The automatically transferred data also included contact lists and unique identifiers such as the International Mobile Subscriber Identity (IMSI) number, according to a press release from Kryptowire. The several models of affected Android devices were available through online retailers such as Amazon and Best Buy, Kryptowire adds. (Neither outlet immediately responded to Motherboard's request for comment).
"The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices," the announcement continues.
Adups' data exfiltration was not an accident but a deliberate feature, included to help a Chinese phone manufacturer monitor customer behaviour, the report continues. That code, however, which is not disclosed to phone users, made its way onto American phones. BLU Products, an American phone manufacturer that makes the BLU R1 HD, said that some 120,000 of its phone had been implicated, and the company has issued an update to cut off the unwanted feature, the report reads.
But according to Android security researcher Jon Sawyer, vendors, including BLU, were already aware of problems with Adup's code.
"I attempted contact through vendors, including BLU with no luck," Sawyer told Motherboard in a Twitter message.
"The vendors just didn't care," he wrote in a tweet.
BLU Products did not respond to Motherboard's request for comment.
Strazzere claimed there are still devices being sold online which contain the same, or nearly identical backdoors to what Jon and him previously highlighted.
"Users need to vote with their wallet," Strazzere added. "Hopefully public shaming will make them actually update and protect some of these people..."
Update: An Amazon spokesperson provided the following comment after this story's initial publication:
We recently learned of a security issue on select BLU phones, some of which are sold on Amazon.com. The manufacturer, BLU Products, has confirmed they sent a software update to resolve the issue on impacted phones.
Because security and privacy are of the utmost importance, all impacted phone models were immediately made unavailable for purchase on Amazon.com. Now that the issue has been resolved, we're working to make these phones available to Amazon.com customers again.