For about US$50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: A backdoor that sends all your text messages to China every 72 hours.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages.
US authorities said it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
International customers and users of disposable or prepaid mobile phones are the people most affected by the software.
However, the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Co, said its code runs on more than 700 million phones, cars and other smart devices.
One US phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.
Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server.
The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Virginia.
“Even if you wanted to, you wouldn’t have known about it,” he said.
Security experts frequently discover vulnerabilities in consumer electronics, but this case is exceptional.
It is not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior, according to a document that Adups provided to explain the problem to BLU executives.
That version of the software was not intended for US phones, the company said.
“This is a private company that made a mistake,” said Lily Lim, a lawyer in Palo Alto, California, who represents Adups.
The episode shows how companies throughout the technology supply chain can compromise privacy, with or without the knowledge of manufacturers or customers. It also offers a look at one way that companies — and by extension governments — can monitor cellphone behavior.
For many years, the Chinese government has used a variety of methods to filter and track Internet use and monitor online conversations. It requires technology companies that operate in China to follow strict rules.
Adups is not affiliated with the Chinese government, Lim said.
At the heart of the issue is a special type of software, known as firmware, that tells phones how to operate. Adups provides the code that lets companies remotely update their firmware, an important function that is largely unseen by users.
Normally, when a phone manufacturer updates its firmware, it tells customers what it is doing and whether it will use any personal information. Even if that is disclosed in long legal disclosures that customers routinely ignore, it is at least disclosed.
That did not happen with the Adups software, Kryptowire said.
According to its Web site, Adups provides software to two of the largest cellphone manufacturers in the world, ZTE and Huawei. Both are based in China.
Samuel Ohev-Zion, who is chief executive of Florida-based BLU Products, said: “It was obviously something that we were not aware of. We moved very quickly to correct it.”
Adups had assured him that all of the information taken from BLU customers had been destroyed, he said.
Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable.
“People who have some technical skills could, but the average consumer? No,” Karygiannis said.
Kryptowire discovered the problem through a combination of happenstance and curiosity.
A researcher bought an inexpensive phone for a trip overseas.
While setting up the phone, he noticed unusual network activity, Karygiannis said.
Over the next week, analysts noticed that the phone was transmitting text messages to a server in Shanghai that was registered to Adups, according to a Kryptowire report.
Kryptowire took its findings to the US government. It plans to make its report public as early as Tuesday next week.
Marsha Catron, a spokeswoman for the US Department of Homeland Security, said the agency “was recently made aware of the concerns discovered by Kryptowire.”
Catron said that the Department of Homeland Security “is working with our public and private sector partners to identify appropriate mitigation strategies.”
James Watson — the Nobel laureate co-credited with the pivotal discovery of DNA’s double-helix structure, but whose career was later tainted by his repeated racist remarks — has died, his former lab said on Friday. He was 97. The eminent biologist died on Thursday in hospice care on Long Island in New York, announced the Cold Spring Harbor Laboratory, where he was based for much of his career. Watson became among the 20th century’s most storied scientists for his 1953 breakthrough discovery of the double helix with researcher partner Francis Crick. Along with Crick and Maurice Wilkins, he shared the
OUTRAGE: The former strongman was accused of corruption and responsibility for the killings of hundreds of thousands of political opponents during his time in office Indonesia yesterday awarded the title of national hero to late president Suharto, provoking outrage from rights groups who said the move was an attempt to whitewash decades of human rights abuses and corruption that took place during his 32 years in power. Suharto was a US ally during the Cold War who presided over decades of authoritarian rule, during which up to 1 million political opponents were killed, until he was toppled by protests in 1998. He was one of 10 people recognized by Indonesian President Prabowo Subianto in a televised ceremony held at the presidential palace in Jakarta to mark National
US President Donald Trump handed Hungarian Prime Minister Viktor Orban a one-year exemption from sanctions for buying Russian oil and gas after the close right-wing allies held a chummy White House meeting on Friday. Trump slapped sanctions on Moscow’s two largest oil companies last month after losing patience with Russian President Vladimir Putin over his refusal to end the nearly four-year-old invasion of Ukraine. However, while Trump has pushed other European countries to stop buying oil that he says funds Moscow’s war machine, Orban used his first trip to the White House since Trump’s return to power to push for
LANDMARK: After first meeting Trump in Riyadh in May, al-Sharaa’s visit to the White House today would be the first by a Syrian leader since the country’s independence Syrian President Ahmed al-Sharaa arrived in the US on Saturday for a landmark official visit, his country’s state news agency SANA reported, a day after Washington removed him from a terrorism blacklist. Sharaa, whose rebel forces ousted long-time former Syrian president Bashar al-Assad late last year, is due to meet US President Donald Trump at the White House today. It is the first such visit by a Syrian president since the country’s independence in 1946, according to analysts. The interim leader met Trump for the first time in Riyadh during the US president’s regional tour in May. US envoy to Syria Tom Barrack earlier
RSS