Security research firm Kyptowire, through a research report, recently revealed something that should deeply concern those who regularly use budget phones and store a lot of personal information in them. Kryptowire said that these phone have software installed in them that pass on sensitive user data to a Chinese company named Shanghai Adups Technology every 72 hours. The sensitive data in question include "full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)."
Is your phone on an older version of Android? Beware of malware attacks!
Following the publication of the report, Blu Products, maker of cheap smartphones in the US, admitted that 120,000 of its phones featured the malicious software and rolled out a new software update to suppress it. Amazon also pulled select Blu phones from its inventory in the United States, stating that it took security and privacy seriously.
That these phones are not victims of malware or viruses but contain software that specifically pass on such user information makes millions of users vulnerable to unauthorised alien surveillance as well as data theft. Apart from texts, call records and location information, the malicious software also "collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."
Value security and privacy? these are the phones for you
"The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed," said security researchers at Kryptowire.
The firm adds that the dubious Shanghai-based company has it's software installed in phones of 700 million active users in over 150 countries and also has offices in places like Shenzhen, Beijing, Tokyo, New Delhi and Miami. What's more, the company's software is also installed in wearables, cars and televisions aside from mobile devices. In light of such vulnerabilities, Kyptowire has recommended more transparency at every stage of the supply chain to raise awareness and that manufacturers should ensure that every software installed in their devices should be compliant with privacy and security laws.
Chinese phone maker Huawei have issued a statement whereby they have said that Shanghai Adups technologies are not installed in their phones and the company is not in their list of approved suppliers. "We take our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them," Huawei said.