grandeduc - Fotolia
Android spyware secretly collecting user data was found preinstalled on a budget smartphone sold through various retailers. Although the company responsible claimed it was standard data collection, one expert said this software went overboard.
Researchers at Kryptowire LLC, a mobile security firm jump-started by the Defense Advanced Research Projects Agency and the Department of Homeland Security, based in Fairfax, Va., said they first came across the mobile spyware on a $59 BLU R1 HD smartphone bought from Amazon. The Android spyware "collected sensitive personal data about their users and transmitted this sensitive data to third-party servers, without disclosure or the users' consent," under the guise of offering better spam filtering.
"These devices actively transmitted user and device information, including the full body of text messages, contact lists, call history with full telephone numbers and unique device identifiers, including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. The firmware could target specific users and text messages matching remotely defined keywords," Kryptowire wrote in a blog post. "The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity there are less invasive ways to provide spam filtering.
"Filtering out spam messages and calls is a nice-to-have feature, but there are other technical approaches toward doing it besides forwarding full text messages and contact details, infringing on users privacy," Arsene said. "That's why metadata and message fingerprinting technologies exist, so that users' personal data is never sent as it is, protecting their privacy."
The company behind this firmware and to whom the user data was sent was Shanghai ADUPS Technology Co. Ltd., commonly known as ADUPS, which provides professional firmware over-the-air (FOTA) update services for smartphones. According to the ADUPS website, the company has 700 million active users worldwide.
ADUPS said BLU objected to the Android spyware collecting data without user consent in June 2016, and "ADUPS took immediate measures to disable that functionality on BLU phones." There was no comment on the use of this firmware on other Android devices, but ADUPS assured customers "no information associated with that functionality, such as text messages, contacts or phone logs, was disclosed to others, and any such information received from a BLU phone during that short period was deleted."
Arsene said the speed of the fix was commendable.
"From a technical perspective, declaring to have disabled the feature and removed all collected data in such a short time is commendable," Arsene said. "This means they knew what the problem was and how to quickly fix it."
ADUPS said in a statement it takes "user privacy very seriously" and claimed the software in question was designed to help eliminate spam.
"In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution for ADUPS FOTA application," ADUPS wrote in a blog post. "The customized version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience. ADUPS FOTA application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."
Arsene said data collection, in general, is not uncommon and can help to "accurately deliver updates to specific devices in case security issues arise."
"However, users should always be notified when such information is being collected, as some might want to opt out and dismiss such features," Arsene said. "It's mandatory for any software provider to inform its customers in regards to what type if information they're collecting -- whether for marketing, commercial or for offering various functionalities. The fact that such a disclaimer was missing is a big deal, as it borders [on] espionage malware practices."
Learn more about China targeting Hong Kong protestors with Android spyware.
Find out about Android spyware possibly linked to the Hacking Team.
Get info on the danger of dormant Android permissions.