Despite being caught a year ago, Android phones around the world are secretly sending sensitive user data to an opaque Chinese tech company whose software is found in millions of cheap phones used widely by lower-income customers in the developing world, Europe and the United States.
Despite the controversy stirred by the original report — which prompted reactions everywhere from Google to the Department of Homeland Security — the Chinese firm continues to secretly siphon off user data without disclosure or consent, according to the latest round of research from the Virginia-based cybersecurity company Kryptowire.
The new report comes nearly a year after Kryptowire researcher Ryan Johnson showed that more than 700 million Android smartphones, including some in the United States, carried the Chinese-authored software.
Users are tracked by their movements and communications; the software tracks call logs, text messages, contact lists, GPS location and other data. The spyware has been selectively scaled back since it was originally exposed in 2016, Kryptowire says, but it continues to take in sensitive data and can, with a single update, scale right back up.
The software comes from Shanghai Adups Technology Company, the third-party firmware update provider used by several manufacturers of lower-end Android phones ranging in price from around $50 to $300. Adups received more information including whether your phone is rooted, application list and detailed information on how apps are used on a device.
Additionally, Adups has a command-and-control channel that can execute code on a user’s phone as a system user.
“The capability is there and that’s certainly a capability I wouldn’t be comfortable with,” Johnson said. “Having a foreign country have the power to execute arbitrary commands as the most privileged user other than root on the phone.”
The spyware highlights how cheap phones can be saddled with intrusive — and potentially lucrative — software from relatively unknown companies that can go undetected for long periods until researchers stumble upon the data. This kind of behavior would normally be flagged and shut down by security software but most tools assume software shipping with the phone is not malware and therefore whitelists it, allowing Adups to transmit sensitive data to servers in Shanghai.
The issue warrants further research from experts outside of the United States who can look at phones and manufacturers that generally don’t touch the American market, researchers say. Different regions of the world are impacted uniquely, the research shows, but the full scope of the issue remains unknown.
As of September 2016, Adups claimed to have a worldwide presence of over 700 million active users in 150 countries on 400 mobile operators semiconductor vendors, and manufacturers in phones, wearables, cars and televisions.
“If you’re getting a pretty sweet phone, a phone that has too much value price for power, there is the possibility they’re subsidizing that through some sort of data stealing,” Johnson said. “If you have a phone, it’s a good idea to run some sort of anti-virus and see if there’s any known malicious software. There definitely should be more attention paid to what the capabilities of these apps are and how much data they’re getting.”
Founded in 2012, Adups is a young company with a relatively lengthy history of taking surreptitious action on users’ phones, including in 2015 when they were discovered to be installing apps on Micromax Android devices without permission.
Google, Amazon, BLU and DHS worked with Adups in 2016 to scale back the spyware capabilities exposed by Kryptowire researchers. Adups then used that command and control channel to update their software and scale back, to some extent, the secret data exfiltration. But the Chinese firm continues to siphon off sensitive data including on phones from the American company BLU, according to Johnson.
Johnson continued to test Adups phones through this summer and found that popular low-end manufacturers like Cubot, a Chinese manufacturer popular in Europe, Africa, South America and Asia, still uses Adups software. The capability to specifically target and search text messages was turned off in the United States but, Johnson said, it can easily be turned back on or geotargeted to be used in other countries.
“Adups has the ability to get only certain numbers,” Johnson said. “It will search your text messages and only send back messages that have specific numbers. So if they’re targeting a certain person, they can say, ‘Okay we’re only interested in a conversation if it has this entity or number as an endpoint.’ They can also target by keyword so if your text message has the word ‘mangoes’ in it, they can get all text messages with that word. They can target and be pretty specific about it.”
BLU Products, an American company specializing in low-cost mobile devices with millions of customers in the U.S., was found last year to be using Adups and allowing mountains of user data to be taken without permission. The data siphoning has been scaled back, but according to Johnson, BLU is still using Adup and the Chinese firm still receives data, without permission, including the user’s phone number, cell tower, device identifiers, list of installed applications.