Shanghai surprise as cheap Android devices ‘phone home’ to China

If your business is a BYOD outfit, it might already have rock-solid rules to keep the network safe from lame passwords, dodgy apps, rooted phones, devices too old to get security updates (even if they’re brand new), unlocked screens, and the USB-stick-like ability to slather around malware.

But is it safe from phones that send user data to China every 72 hours?

That’s how often several models of Android devices are pushing text messages and call logs to a company in China, mobile security company Kryptowire has discovered.

You can get one of these devices starting around $60. That’s what the popular BLU R1 HD is going for on Amazon. They’re also available at other major US-based online retailers, including BestBuy.

That’s $60 for an unlocked dual-SIM smartphone with a high-def camera – plus what the analysts say is a backdoor that not only sends your text logs and call logs every 72 hours, it also ships personally identifiable information (PII) to China every 24 hours, all without users being informed or opting in.

The backdoor is being enabled by firmware that shipped with the mobile devices. Subsequent over-the-air updates allowed applications to be remotely installed, also without user consent.

In some versions of the software, fine-grained location data about users are also being transmitted.

And it doesn’t stop there. The firmware could also:

  • Identify specific users and text messages matching remotely defined keywords
  • Collect and transmit information about the use of applications installed on the monitored device
  • Bypass the Android permission model
  • Execute remote commands with escalated (system) privileges
  • Remotely reprogram devices

The collected information was getting multiple layers of encryption (albeit with a plaintext decryption key that the analysts uncovered), then being sent to a server in Shanghai. None of this raised flags with mobile anti-virus tools, which presume that software prepackaged on a device isn’t malware and hence give it the green light.

The firmware is controlled by a company called Shanghai Adups Technology Co. Ltd.

Besides producing firmware, Adups offers cloud-based service for over-the-air updating for what it says are more than 400 leading mobile operators, semiconductor vendors and device manufacturers, including makers of wearables, mobile devices, cars and TVs.

As the New York Times reports, the scope of the problem is unclear: for one thing, nobody’s quite sure if the data-mining is being done for ad-slinging or potentially for spying on behalf of the Chinese government.

Adups is pointing to the ad-slinging explanation. It’s not a bug, according to a document it provided to execs at BLU Products (maker of the $60 device) to explain the problem.

Rather, it’s a big mistake. The document says that Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior. That version of the software was never intended for American phones, Adups said.

The NYT quoted Lily Lim, a lawyer based in California who represents Adups:

This is a private company that made a mistake.

That could well be the case. A word like “Adups” in the company name might point to this being just that: a case of advertising vampires gone on a data-slurping, sloppy binge. But it’s not known for sure whether it’s just a “mistake” or whether it’s something more disconcerting.

Having said that, most devices call home to some mix of vendor, carrier, manufacturer, OEM, operating system supplier and more. The question is: what do they say? How do they say it? And how transparent is the company that collects the data?

According to the NYT, BLU Products said that 120,000 of its phones had been affected. BLU said in a security notice that it had updated the software to eliminate the backdoors.

We don’t need a conspiratorial, surveillance-happy government to explain the situation when a series of poor decisions about advertising can explain it just as well.

Take the Lenovo Superfish controversy, for one. Superfish was the marketing company that offered “visual search” that analyzed images that you saw in your web ramblings, matched them against a giant database of images in the cloud, and presented you with a bunch of similar images, selling clicks based on images you saw instead of words you read.

It might be nice to see a bureau that matches the side table you just clicked on, but not when getting to that furniture nirvana entails a service that sets itself up to intercept your traffic via a Man in The Middle, or MiTM, technique… and which sets itself up as a trusted Certificate Authority, to boot.

In other words, the leaky Android devices could well be just the latest case in a string of ad dollars-fueled chicanery that undercuts good security.

What can you do to your BYOD protocol to protect the enterprise from spying gadgets like this?


Tom Karygiannis, a vice-president of Kryptowire, says that the surveillance isn’t disclosed to phone users, telling the NYT:

Even if you wanted to, you wouldn’t have known about it.

Happenstance led to a Kryptowire analyst discovering that his recently purchased BLU R1 HD phone was phoning home to China.

Adups hasn’t released a list of affected phones, and it’s unclear how the average, nontechnical user can determine if their phone is vulnerable. Adups’ lawyer, Lim, had no words of advice on that front.