Security researchers in the US have discovered what could be an unprecedented breach of user data, after finding a secret 'backdoor' in several models of Android smartphones that sent people's personal information to a server located in China.
It's unclear how many devices are affected by the problem, but at least one phone manufacturer – BLU, which sells devices in the US through Amazon and Best Buy – has acknowledged that as many as 120,000 of its smartphones were compromised by the backdoor.
Researchers from security firm Kryptowire first discovered the leaking data after an employee bought one of the affected phones – a BLU R1 HD – for an overseas trip.
The employee noticed unusual network activity when setting up the phone, and further analysis revealed that the device was transmitting messages to a server in Shanghai.
Subsequent investigations showed that the servers belonged to a company called Shanghai Adups Technology (aka Adups), which provides firmware update services for mobile devices. The company claims to have its software on over 700 million devices across the world, although it's unlikely the backdoor extends that far.
According to Adups, the backdoor feature was originally designed for a Chinese phone manufacturer – the identity of which hasn't been disclosed – that wanted a way of monitoring its customers' behaviour, to help screen spam messages and calls.
This intentional feature was never meant to be used outside of China on devices for the American or international market.
"This is a private company that made a mistake," Californian lawyer Lily Lim, who represents Adups, told Matt Apuzzo and Michael S. Schmidt of The New York Times.
But that "mistake" has some pretty far-reaching consequences. According to Kryptowire, phones with the Adups software transmitted to China personal data including the text messages, contact lists, call history with full telephone numbers, and details which identify the device, such as the International Mobile Equipment Identity (IMEI).
In addition, the firmware collected and transmitted information about the use of apps installed on the device, and was capable of remotely programming the device, installing new code or apps without the owners' consent.
Of course, none of this surveillance or control was made clear to device owners, and only technical experts would ever be able to detect what was going on under the hood.
"Even if you wanted to, you wouldn't have known about it," Kryptowire vice president Tom Karygiannis told The New York Times.
But computer scientists were aware of these kinds of functionalities, and had pleaded with Adups to address the vulnerability without success.
"We tried very hard to contact Adups multiple times," mobile security researcher Tim Strazzere told Joseph Cox at Motherboard.
"After almost months they finally responded, yet I've only ever seen one device receive an update. They claim to fix things, but say the downstream manufacturers don't want to push the updates."
But finally, after the Kryptowire researchers communicated their findings to BLU – in addition to Google and Amazon – the manufacturer acted to remove the backdoor in its compromised models.
Given how many devices Adups ultimately has its software on, though, it's possible the backdoor extends to more Android devices than the BLU handsets that Kryptowire has so far analysed. As for how many that could be, there's no way of knowing right now.
In the meantime, Blu device owners should follow these instructions if they think their phone might be affected.
As for the rest of us, there's not a lot we can do, other than try to be aware of which brands are not acting to patch up this kind of backdoor activity – and consciously not supporting those companies at the checkout.
"Users need to vote with their wallet," Strazzere told Motherboard. "Hopefully public shaming will make them actually update and protect some of these people."