Planted Spyware in Android Phones, Admits Chinese Company
A Chinese company has admitted that it planted a spyware in some Android mobile phones that sent back to China information about the users and text messages.
The admission came after the programme was exposed by a US cyber security firm.
Although the company, Shanghai Adups Technology, asserted that the "text messages, contacts or phone logs" it collected were not shared with anyone else, it has raised security and privacy concerns about the use of spyware and the potential for the information collected to fall into the hands of the government or others. Several mobile phone brands are manufactured in China.
Kryptowire exposed the spyware on Tuesday, saying that it had found it hidden in the firmware that came installed by the manufacturer on some phones it had examined.
It said that the programme transmitted the information it collected from mobile phones to computers in Shanghai.
Firmware is the programme that comes pre-installed and controls actions like updating the operating system or other programmes.
"The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent," Kryptowire said.
It dodged anti-virus software because it was assumed that programmes shipped pre-installed on phones and considered integral to them were clean, it added.
Kryptowire identified Blu brand's R1 HD phone as one of the models infected with the programme.
The model has apparently been sold in India because price monitoring websites like Mobilewithprices and Phoneradar have posted local prices for it.
Amazon's Indian website sells accessories for the model, although the phone itself is not listed. The US parent of Amazon has stopped selling it.
The manufacturer of Blu said on its website that it has "identified and has quickly removed a recent security issue caused by a third party application which had been collecting unauthorised personal data in the form of text messages, call logs, and contacts from customers.
"The firmware on its phones was automatically updated to remove it and verified to be no longer collecting or sending this information," Blu said.
In addition to R1 HD, Blu said the affected models were Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL and Energy Diamond.
The programme is of the category known as Firmware Over the Air (FOTA), which come pre-installed in computers and are meant, among other things, to keep the phones automatically updated.
Adplus, which claims to have over 700 million active users in more than 200 countries or regions, said that the programme to collect and send the information was "inadvertently" included in the firmware.
The company said it had come up with the programme to help "screen out junk texts and calls from advertisers" by analysing the information collected about them from phones "in order to improve mobile phone experience."