Secret Backdoor in Some US Phones Sent Data To China

Security contractors have warned that many Android smartphones ship with preinstalled software that has a backdoor that sends all your text messages to China every 72 hours. (Editor's note: the link could be paywalled; here's the press release.) The New York Times reported Tuesday that "the American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence." From the report: International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature. Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. "Even if you wanted to, you wouldn't have known about it," he said.

Ads or government collection

[Calydor]

Why not both?

Is there some magical thing that says if something is collecting for advertisement purposes it can't be shared with intelligence agencies?

Re: Ads or government collection

[Anonymous Coward]

Right. We know from the Snowden leaks that US intelligence doesn't miss any opportunity to collect data. Why would China be any different?

Backdoors

[paskie]

Meanwhile, Public Backdoor in Many Chinese Phones Sent Data To US.

Re:

[Darinbob]

So many web devs adamantly support advertising as the way to make money and keep their jobs. So why not support government spying a a means to make money, they've already sold their souls to the advertisers so one more concession shouldn't be a big deal, right? After all government spying at least is not as intrusive as ads, the government actually makes it a point to not clutter up the web pages or interrupt you in the middle of a video, and takes a neutral stance in the war between Budweiser and Coors.

Re:

[djinn6]

On the plus side, they'll probably only share it with Chinese government, which can't screw me over as much as the American one.

Oh no what an awful accident

[Anonymous Coward]

No reason to be alarmed. Clearly this is just a testing and debugging feature introduced by some errant developer that's been accidentally left in the release build firmware. It will be patched and fixed and you can all go back to buying these phones in safety. No way the Chinese government would have deliberately done this.

Re:

[Anonymous Coward]

With the Chinese government half a world away, I am way more worried about the US Govt. having my text messages than Chairman Mao.

Re:

[I'm New Around Here]

Don't worry, they didn't mention Grindr messages in the article.

Re:

[SScorpio]

I'm not worried either considering Mao's been dead for forty years. Chairman Meow on the other hand....

Re:

[ShanghaiBill]

I'm not worried either considering Mao's been dead for forty years.

History is repeating itself. Xi Jinping is purging his political opponents, mostly by accusing them of corruption, and promoting a personality cult. It will be interesting to see if he steps down at the end of his term in office, or whether he stays on "for the good of the nation".

Re:

[Anonymuous Coward]

That is an idiotic thing to say.

Even if the data sent from the phone to the Chinese is encrypted, the phone has to have the key, so it's trivial for just anybody to intercept and read your messages. Including the US Govt. or low-key scammers.

Re:

[whoever57]

Even if the data sent from the phone to the Chinese is encrypted, the phone has to have the key, so it's trivial for just anybody to intercept and read your messages

Apparently you never heard of asymmetric encryption. [techtarget.com] So, no the phone doesn't need to have the key required to decrypt the data.

Re:

[Anonymuous Coward]

Haven't had your coffee yet?

The story is about your phone sending your personal data to some 3rd party, not about your phone downloading stuff from some 3rd party. Who has to encrypt and who has to decrypt there?

The only way to "secure" that somehow is to have some unique (and unpredictable) secret token burned into each phone, and derive the encryption key from it. The IMEI or serial number won't cut it.

Re:

[viperidaenz]

Or have the phone encrypt the data with the servers public key, so only the servers private key can decrypt it?

Re:

[whoever57]

You either did not read or did not understand the link I gave to you. Read it and try to see if you can wrap your tiny mind around it.

Re:

[laing]

Don't worry, the US Government will most definitely also get a copy of any IP traffic sent between US soil and the PRC.

Another Day, Another Android Exploit

[TheFakeTimCook]

This is like Windows XP. What a cluster!

Re: Another Day, Another Android Exploit

[Anonymous Coward]

This has nothing to do with Android... it's not a bug. This is preinstalled malware on Chinese phones.

Stop drinking the koolaid.

Re:

[TheFakeTimCook]

Stop drinking the koolaid.

If you look at TheFakeTimCook's posting history, you'll conclude that he's actually serving the koolaid. His posts are nothing but a constant stream of pro-Apple/anti-[everything else] drivel.

Looks like he pulled the trigger on this one with an anti-android dig without fully thinking it through.

I am honored that the AC has so little to actually do in his life that he/she can devote the effort to launch an in-depth analysis of my Slashdot Posts.

Perhaps if this alleged human would favor us with a Login, we could return the favor, and do an in-depth analysis if his/her Posting history, eh?

Re:

[magarity]

It may be tedious but you can uninstall bloatware from your big-brand Windows PC. The *^&%$ preinstalled Android stuff can't because they compile it into the ROM.

It's called "root". (Adminstrator for Windows user

[raymorris]

It's called root. You enable root, then choose from any of the many apps which mount the "rom" read-write and you check off which pre-installed apps you want to remove.

Always a good sign...

[fuzzyfuzzyfungus]

The really disturbing thing isn't that some shit Chinese handsets are full of spyware; but that our own technology industry is so overrun with advertisers, tracking, and 'analytics', that we can't distinguish between espionage and the Chinese just catching up with our business models; because the only real difference is that espionage tends to run at a loss, while advertising is economically self sustaining.

Re:Always a good sign...

[Anonymous Coward]

This isn't new. Has everyone already forgot about Carrier IQ?

Re:Always a good sign...

[alvinrod]

If a government can legally compel a company to hand over their advertising information, there's no functional difference between the two. I can think of very little that a government might want to know about a person that an advertising agency would have no interest in collecting.

I think that Bill Hicks's [youtube.com] thoughts on the matter are still quite appropriate.

Re:

[fuzzyfuzzyfungus]

Plus, the ad guys are busily competing with one another to enhance their techniques; and since they are (on the whole) turning a profit, they have no incentive to stop.

The feds have the disadvantage of being more likely to call down the jackboots on you; but unless particularly irrational their desire to spend money on further surveillance is usually outweighed by their desire to fund other projects once they are reasonably confident that the major threats are being watched.

It has really been terribly

Re:

[ljw1004]

the only real difference is that espionage tends to run at a loss, while advertising is economically self sustaining.

I'm not sure what calculation that would be. Advertising costs money, is paid for out of revenue, which is paid for by passing the cost to customers. Espionage costs money, is paid for out of government funds, which is paid by passing the cost to tax-payers.

willing to bet, or at least think about

[w3bd4wg]

I am willing to bet that this code was originally meant to monitor Chinese users and was either put in by a Chinese agent without the companies knowledge or forded to be put in by the Chinese government. I would be willing to think that someone forgot to take it out, or someone said lets try this, but for the Chinese government to do something so obvious...I do now know.

"updated the software to eliminate the feature"

[SpankiMonki]

Oh, it was just a feature. Whew! What a relief. For a second there, I thought it might be malware.

Re:

[fustakrakich]

Like everything else, it's totally dependent on your point of view.

Japanese

[Oswald McWeany]

I'm going to send texts saying I'm eating Japanese food on a more regular basis now.

Hey honey, look at this Japanese sweet and sour chicken I'm eating. I feel like going to the Japanese restaurant for General Tsao's chicken tonight.

- that oughta piss 'em off.

Re:

[93 Escort Wagon]

General Tsao's Chicken is Chinese.

Re:

[clemdoc]

whoosh

General Tso's chicken is "chinese" food

[Anonymous Coward]

General Tso's chicken is about as Chinese as KFC. It's loosely based on Hunan cuisine but it originated in America ( NYC [wikipedia.org]). A shame really, authentic Chinese food is awesome. If you're ever in NYC hit up Xi'an Famous Foods [xianfoods.com], the lamb cumin noodles are fantastic. If you have more time, head over to Flushing and dive into almost any of the shops there and learn what real Chinese food is (and a good deal of it is much, much spicer than what your local take out place serves). I moved to NYC from Texas and I'm

Re:

[VorpalRodent]

It's loosely based on Hunan cuisine

I initially read that as "Human" cuisine...as a picky eater, I can say that the meaning of the sentence as a whole didn't change substantially once I noticed my error.

Re:

[Dutch Gun]

Exactly. And in Japan, curry (which is insanely popular, apparently) is considered "western food". Neither assumption is correct. Food is a bit like language that way, in how it gets borrowed and adapted in ways that make purists cry... but no one else cares, and enjoys their food.

Re:General Tso's chicken is "chinese" food

[avandesande]

India is West of Japan

Re: General Tso's chicken is "chinese" food

[Lance McGrath]

So is Hawaii, if you travel far enough.

Re:

[avandesande]

Actually I wasn't trying to be funny. Without knowing a thing about Chinese culture I would guess that China has very different perspective on what is Asia, 'the far east', 'the west' etc.... those are 'western' constructs.

Re:

[painandgreed]

India is West of Japan

By Western, they do mean European. That's because the Japanese got curry from advisors from the British navy (who got it from India). Curry is a good way to prevent scurvy which the Japanese had a big issue with on their first naval trip to Hawaii and the Americas and spent month in port just recovering. So, they adopted British naval cuisine which was curry. Apparently, they still serve curry in the Japanese navy every Friday. They have done their own thing with it by adding flour to the sauce to make it t

Re:

[UberVegeta]

in Japan, curry (which is insanely popular, apparently) is considered "western food". Neither assumption is correct.

Japanese curry is an import from the UK, not from India, which gives it its Western credentials.

Said curry is gaining popularity in the UK. For the uninitiated, in both places it's commonly sold under the name "katsu curry" which is a direct corruption of the English word "cuts" (katsu curry is served as sliced chicken with breadcrumbs in a mild curry sauce with white rice). This isn't an exhaustive definition, the curry can be sold with things other than sliced breaded chicken.

There are two slightly odd/am

Re:

[Dutch Gun]

Japanese curry is an import from the UK, not from India, which gives it its Western credentials.

That's like calling spaghetti an American dish because it was introduced to someone by an American. Anyhow, my point is that it doesn't really matter what we think, as Japanese will continue to consider curry "western", even though it's not, and Americans will continue to think fortune cookies are Chinese, which they aren't. Meh.

Disclaimer: I'm not a Japanophile. I've just watched a lot of anime.

Re:

[Rakarra]

Japanese curry is an import from the UK, not from India, which gives it its Western credentials.

I see a lot of "Vermont Curry." Until going through Japanese curry options, I had no idea that Vermont was such a curry hotspot and originator!

Re:

[ShanghaiBill]

General Tso's chicken is about as Chinese as KFC.

Most Americanized Chinese food is terrible. Even if you go to an authentic family-run Chinese restaurant, they will often have a separate menu for non-Chinese, with extra starch, grease, salt, and sugar, since they assume that is what you want. You have to specifically ask for the "Chinese menu". Just say "Qing gei wo zhongwen caidan". Oh, and the menu will be in Chinese, so you will need to learn to read hanzi.

Re:

[TheSync]

I ordered the poached whole frog once from the Chinese menu. I went back to sweet & sour chicken real fast!

Re:

[PmanAce]

It's North American actually.

Re:Japanese

[Culture20]

No one in China knows what the hell General Tso's Chicken is.

It's four pay grades better than Colonel Sanders' chicken, that's what it is!

Re:

[GTRacer]

I think I love you. I really needed a good laugh, and, like the man said, there it is!

Re:

[JustAnotherOldGuy]

mega-uber-whoosh

Re:

[Ogive17]

Start mentioning the Senkaku islands if you want to make a splash

Is your phone affected?

[resfilter]

From the press release, the affected phones have the following services installed:

    com.adups.fota.sysoper
    com.adups.fota

I'd probably check your phone to ensure those don't exist. ... And it sends data to the following domains, if ya wanted to firewall or sniff it or whatever:

    bigdata.adups.com (primary)
    bigdata.adsunflower.com
    bigdata.adfuture.cn
    bigdata.advmob.cn

Re:

[Anonymous Coward]

From the press release, the affected phones have the following services installed:

com.adups.fota.sysoper

com.adups.fota

I'd probably check your phone to ensure those don't exist. ... And it sends data to the following domains, if ya wanted to firewall or sniff it or whatever:

bigdata.adups.com (primary)

bigdata.adsunflower.com

bigdata.adfuture.cn

bigdata.advmob.cn

How about carpet bombing the servers you just listed? It would most likely bring down the core of the Chinese internet. We can teach the Chinese how to play "Ping" pong with a good concerted dos session I am sure. While were at it we could really throw a monkey wrench into the jerks in the states that wrote the crapware in the first place. Adware on commercial products is one thing but hiding it should be punished with an equal dose of poison. Hell even Microsoft does not try to hide adware in the system in

Re:

[OrigamiMarie]

Note: checking your running services has gotten harder in Marshmallow. Here's a guide: http://www.howtogeek.com/25830... [howtogeek.com]

In Soviet America, Chinese chairman spies you!

[fubarrr]

In Soviet America, Chinese chairman spies you!

Thanks Google

[110010001000]

This is on Google. They need to get a grip on Android.

Re:

[iggymanz]

wrong, on the phone manufacturer who installed evil software. the OS is irrelevant, can be done with any OS

Subnet blocked for SSH abuse

[satch89450]

I checked the owning subnet, and found that I had already blocked the entire allocation for SSH abuse. Seems there are multiple bad actors in that part of the world.

Which subnet?

[bigbang137]

What is the subnet? What do you use to block it? Does my phone necessarily need to be rooted for me to block? Thanks.

Re:

[satch89450]

I just checked, and they have moved their name into a different subnet. Snowshoes in action.

Re:

[GTRacer]

Or, like me, you willingly accepted the bargain. I don't mind *Google* having my info, as it lowers friction across their services and makes my searches/maps better. I don't like the idea they can and do hand it over to the TLA's, but I'm not stupid enough to believe we really have any choice there anyways,

What I do not agree to is foreign governments or actors having that info. I install precious few apps, mainly because 90% of them are garbage, and otherwise to limit my exposure. That, and XPrivacy + ho

There!

[Tablizer]

It's not "theoretical" anymore, Mr. Comey

Android wins!

[Ol Olsoc]

Android collects and sends text messages to state actors much better than that fucking overpriced hipster shit that Apple sells. Tak that - Apple Fanbois!

Whats the difference anyway

[bearvarine]

Nowadays "advertising information" is the new biometrics. Or, if you will, meta-biometrics. Its already been reported that it takes only 3 pieces of user preference data to uniquely identify most people. Get used to it. Resistance is Futile. If it isn't already, your every move on the internet is being tracked, indexed, cross-referenced and added to your "dossier". End of story.