Some Low-Cost Chinese Android Phones Come With a Secret Backdoor to Your Data
If you own a BLU Products device, you may be sending a host of data about your phone activity to China. Kryptowire, a mobile device security firm, discovered a backdoor in firmware installed on lower-cost, Chinese-manufactured phones recently.
Initially, the affected firmware was found on the BLU R1 HD, sold by Amazon and Best Buy. Data including a user's phone number, location data, text message content, call logs, which applications were installed, and usage data for applications were all sent to Chinese servers.
The servers, owned by Shanghai AdUps Technologies, collected data designed to help Chinese phone carriers and hardware manufacturers track customer behavior for targeted advertising. According to AdUps, the customer tracking/surveillance feature was only intended for the Chinese market and was not expected to be released to smartphones worldwide.
A legal representative for AdUps in a communique with The New York Times stated that the data collected was not made available to the Chinese Government, nor was the purpose for the collection of the data in any way related to espionage. Instead, the update that included the backdoor was released worldwide by mistake.
"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices... The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information."
BLU has stated that the update mishap has affected a small number of devices only and that a new update has been sent out that disables data collection. It's estimated that around 120,000 devices were affected by the backdoor update, and if you have a BLU Products branded device, it's highly recommended that you update to the latest available firmware to ensure that your data isn't being collected.