Oiwan Lam | Global Voices
Kryptowire, a security firm, recently identified several models of Android mobile devices that have preinstalled permanent software, known as firmware, that serve as backdoor that collects sensitive personal data, including text messages, geolocations, contact lists, call logs and transmits them to a third-party server in Shanghai, China.
Without users’ consent, the code can bypass Android’s permission model. This could allow anyone interested in a mobile user’s data — from government officials to malicious hackers — to execute remote commands with system privileges and even reprogram the devices.
The firmware was developed by Chinese company Shanghai ADUPS Technology Company. ADUPS confirmed the report with a statement explaining that the software was a “solution” to a Chinese phone manufacturer’s demand to “flag junk texts and calls” in response to user demand. It said the collected messages would be analyzed to “identify junk texts” and “improve mobile phone experience.”
Kryptowire’s research reveals that the collected information was protected with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other personally identifiable information.
ADUPS explained that the “accustomed” firmware was accidentally built into 120,000 mobile products of one American phone manufacturer, BLU Products. After BLU raised the issue, ADUPS explained that the software was not designed for American phones and deactivated the program on Blu phones.
The news has been widely reported in foreign media as ADUPS is among the largest FOTA (firmware over the air) providers in the world. The company provides a cloud platform for mobile device management to over 700 million active users in 200 countries, which is equivalent to 70% of the global market share as it works closely with the world largest cheap mobile phone manufacturers ZTE and Huawei, both of which are based in China. In 2015 alone, Huawei sold more than 100 million smartphones.
Chinese netizens have not been surprised by the news. Reports about spyware preinstalled in Chinese mobile brands have circulated for many years among mainland and overseas Chinese speaking-communities. In 2014, Hong Kong Android Magazine reported that Xiaomi’s smartphones designed for overseas markets were automatically connecting to an IP in Beijing and that all documents, SMS and phone logs, and video files downloaded were being transmitted to a Beijing server.
In 2015, Germany-based security company G-Data also found out that at least 26 Android mobile brands had preinstalled spyware in their smartphones. The three biggest Chinese smartphone manufacturers, Xiaomi, Huawei and Lenovo were all listed.
China’s newly passed Cybersecurity Law has provided legal ground for the smartphone’s backdoor operation. The law requires “critical information infrastructure operators” to store users’ “personal information and other important business data” in China.
Other laws, such as the Child Protection Bill (still in draft), also requires hardware companies to pre-install surveillance software on communication devices and legalize specific approaches to treating internet addiction, all in the interest of protecting children.
In addition to the surveillance of private data as required by law, Chinese Android phone users regularly download Android apps from unofficial third party app markets since Google left China in 2010. These Android markets are flooded with apps containing malware that can steal and manipulate personal data.
On November 16, the New York Times reported that American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
In response to the news, many Chinese netizens are pointing out the abusive use of personal data and government surveillance has become the norm: “We are so used to the leaking of personal data. We don’t care about government surveillance anymore. We are nobody.”