There are a lot of fantastic budget smartphones on the market today, but there are always concerns with smartphones that are super cheap. One of those is security, an increasingly important part of any smartphone. Now security firm Kryptowire has uncovered an alleged backdoor hidden within some budget Android smartphones.
In a report, Kryptowire documents a collection of software tools from Adups which can apparently harvest SMS information, call logs, contact names, IP information, IMEI data, and much more. The software then sends that data back to third-party servers in China without notifying the user. The software could even target specific keywords in messages and track the various kinds of apps used on the device. A quote from the report further explains what Adups was doing:
These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices… The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information.
According to the company installing this software, Shanghai AdUps Technologies, this software is currently in use on over 700 million devices worldwide including everything from phones to tablets and even automotive entertainment systems. Smartphones from Huawei and ZTE use the software in China, but even some US devices were affected.
The report specifically calls out the BLU R1 HD, a smartphone made popular by its extremely affordable price tag of just $50. BLU apparently used the software as part of its method to push updates to the device, although it’s unclear if the company’s other smartphones are affected.
Upon discovering these transmissions in lab testing, Kryptowire immediately notified Google, Adups, BLU, and Amazon ─ the latter of which has recently taken the R1 HD off its website, likely for this reason. According to a statement to Ars Technica, BLU has since patched the issue which affected about 120,000 devices.
Update: ZTE USA has reached out to confirm that its devices sold in the United States were not affected by this software.
We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.
Huawei has also reached out to clarify that it has not released devices with Adups software installed.
Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.