Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security China

Secret Backdoor in Some US Phones Sent Data To China (nytimes.com) 111

Security contractors have warned that many Android smartphones ship with preinstalled software that has a backdoor that sends all your text messages to China every 72 hours. (Editor's note: the link could be paywalled; here's the press release.) The New York Times reported Tuesday that "the American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence." From the report: International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature. Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. "Even if you wanted to, you wouldn't have known about it," he said.
This discussion has been archived. No new comments can be posted.

Secret Backdoor in Some US Phones Sent Data To China

Comments Filter:
  • by Calydor ( 739835 ) on Tuesday November 15, 2016 @11:05AM (#53289569)

    Why not both?

    Is there some magical thing that says if something is collecting for advertisement purposes it can't be shared with intelligence agencies?

    • by Anonymous Coward

      Right. We know from the Snowden leaks that US intelligence doesn't miss any opportunity to collect data. Why would China be any different?

    • Meanwhile, Public Backdoor in Many Chinese Phones Sent Data To US.

    • So many web devs adamantly support advertising as the way to make money and keep their jobs. So why not support government spying a a means to make money, they've already sold their souls to the advertisers so one more concession shouldn't be a big deal, right? After all government spying at least is not as intrusive as ads, the government actually makes it a point to not clutter up the web pages or interrupt you in the middle of a video, and takes a neutral stance in the war between Budweiser and Coors.

    • by djinn6 ( 1868030 )
      On the plus side, they'll probably only share it with Chinese government, which can't screw me over as much as the American one.
  • by Anonymous Coward on Tuesday November 15, 2016 @11:09AM (#53289595)

    No reason to be alarmed. Clearly this is just a testing and debugging feature introduced by some errant developer that's been accidentally left in the release build firmware. It will be patched and fixed and you can all go back to buying these phones in safety. No way the Chinese government would have deliberately done this.

    • by Anonymous Coward

      With the Chinese government half a world away, I am way more worried about the US Govt. having my text messages than Chairman Mao.

      • Don't worry, they didn't mention Grindr messages in the article.

      • I'm not worried either considering Mao's been dead for forty years. Chairman Meow on the other hand....

        • I'm not worried either considering Mao's been dead for forty years.

          History is repeating itself. Xi Jinping is purging his political opponents, mostly by accusing them of corruption, and promoting a personality cult. It will be interesting to see if he steps down at the end of his term in office, or whether he stays on "for the good of the nation".

      • That is an idiotic thing to say.

        Even if the data sent from the phone to the Chinese is encrypted, the phone has to have the key, so it's trivial for just anybody to intercept and read your messages. Including the US Govt. or low-key scammers.

        • Even if the data sent from the phone to the Chinese is encrypted, the phone has to have the key, so it's trivial for just anybody to intercept and read your messages

          Apparently you never heard of asymmetric encryption. [techtarget.com] So, no the phone doesn't need to have the key required to decrypt the data.

          • Haven't had your coffee yet?

            The story is about your phone sending your personal data to some 3rd party, not about your phone downloading stuff from some 3rd party. Who has to encrypt and who has to decrypt there?

            The only way to "secure" that somehow is to have some unique (and unpredictable) secret token burned into each phone, and derive the encryption key from it. The IMEI or serial number won't cut it.

            • Or have the phone encrypt the data with the servers public key, so only the servers private key can decrypt it?

            • You either did not read or did not understand the link I gave to you. Read it and try to see if you can wrap your tiny mind around it.
      • by laing ( 303349 )
        Don't worry, the US Government will most definitely also get a copy of any IP traffic sent between US soil and the PRC.
  • This is like Windows XP. What a cluster!
    • by Anonymous Coward on Tuesday November 15, 2016 @11:18AM (#53289679)

      This has nothing to do with Android... it's not a bug. This is preinstalled malware on Chinese phones.

      Stop drinking the koolaid.

    • It may be tedious but you can uninstall bloatware from your big-brand Windows PC. The *^&%$ preinstalled Android stuff can't because they compile it into the ROM.

  • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday November 15, 2016 @11:11AM (#53289619) Journal
    The really disturbing thing isn't that some shit Chinese handsets are full of spyware; but that our own technology industry is so overrun with advertisers, tracking, and 'analytics', that we can't distinguish between espionage and the Chinese just catching up with our business models; because the only real difference is that espionage tends to run at a loss, while advertising is economically self sustaining.
    • by Anonymous Coward on Tuesday November 15, 2016 @11:56AM (#53289931)

      This isn't new. Has everyone already forgot about Carrier IQ?

    • by alvinrod ( 889928 ) on Tuesday November 15, 2016 @12:32PM (#53290219)
      If a government can legally compel a company to hand over their advertising information, there's no functional difference between the two. I can think of very little that a government might want to know about a person that an advertising agency would have no interest in collecting.

      I think that Bill Hicks's [youtube.com] thoughts on the matter are still quite appropriate.
      • Plus, the ad guys are busily competing with one another to enhance their techniques; and since they are (on the whole) turning a profit, they have no incentive to stop.

        The feds have the disadvantage of being more likely to call down the jackboots on you; but unless particularly irrational their desire to spend money on further surveillance is usually outweighed by their desire to fund other projects once they are reasonably confident that the major threats are being watched.

        It has really been terribly
    • by ljw1004 ( 764174 )

      the only real difference is that espionage tends to run at a loss, while advertising is economically self sustaining.

      I'm not sure what calculation that would be. Advertising costs money, is paid for out of revenue, which is paid for by passing the cost to customers. Espionage costs money, is paid for out of government funds, which is paid by passing the cost to tax-payers.

  • I am willing to bet that this code was originally meant to monitor Chinese users and was either put in by a Chinese agent without the companies knowledge or forded to be put in by the Chinese government. I would be willing to think that someone forgot to take it out, or someone said lets try this, but for the Chinese government to do something so obvious...I do now know.
  • by SpankiMonki ( 3493987 ) on Tuesday November 15, 2016 @11:19AM (#53289681)
    Oh, it was just a feature. Whew! What a relief. For a second there, I thought it might be malware.
  • Japanese (Score:5, Funny)

    by Oswald McWeany ( 2428506 ) on Tuesday November 15, 2016 @11:28AM (#53289749)

    I'm going to send texts saying I'm eating Japanese food on a more regular basis now.

    Hey honey, look at this Japanese sweet and sour chicken I'm eating. I feel like going to the Japanese restaurant for General Tsao's chicken tonight.

    - that oughta piss 'em off.

    • General Tsao's Chicken is Chinese.

      • by clemdoc ( 624639 )
        whoosh
      • by Anonymous Coward

        General Tso's chicken is about as Chinese as KFC. It's loosely based on Hunan cuisine but it originated in America ( NYC [wikipedia.org]). A shame really, authentic Chinese food is awesome. If you're ever in NYC hit up Xi'an Famous Foods [xianfoods.com], the lamb cumin noodles are fantastic. If you have more time, head over to Flushing and dive into almost any of the shops there and learn what real Chinese food is (and a good deal of it is much, much spicer than what your local take out place serves). I moved to NYC from Texas and I'm

        • It's loosely based on Hunan cuisine

          I initially read that as "Human" cuisine...as a picky eater, I can say that the meaning of the sentence as a whole didn't change substantially once I noticed my error.

        • Exactly. And in Japan, curry (which is insanely popular, apparently) is considered "western food". Neither assumption is correct. Food is a bit like language that way, in how it gets borrowed and adapted in ways that make purists cry... but no one else cares, and enjoys their food.

          • by avandesande ( 143899 ) on Tuesday November 15, 2016 @01:33PM (#53290715) Journal
            India is West of Japan
            • So is Hawaii, if you travel far enough.
              • Actually I wasn't trying to be funny. Without knowing a thing about Chinese culture I would guess that China has very different perspective on what is Asia, 'the far east', 'the west' etc.... those are 'western' constructs.
            • India is West of Japan

              By Western, they do mean European. That's because the Japanese got curry from advisors from the British navy (who got it from India). Curry is a good way to prevent scurvy which the Japanese had a big issue with on their first naval trip to Hawaii and the Americas and spent month in port just recovering. So, they adopted British naval cuisine which was curry. Apparently, they still serve curry in the Japanese navy every Friday. They have done their own thing with it by adding flour to the sauce to make it t

          • in Japan, curry (which is insanely popular, apparently) is considered "western food". Neither assumption is correct.

            Japanese curry is an import from the UK, not from India, which gives it its Western credentials.

            Said curry is gaining popularity in the UK. For the uninitiated, in both places it's commonly sold under the name "katsu curry" which is a direct corruption of the English word "cuts" (katsu curry is served as sliced chicken with breadcrumbs in a mild curry sauce with white rice). This isn't an exhaustive definition, the curry can be sold with things other than sliced breaded chicken.

            There are two slightly odd/am

            • Japanese curry is an import from the UK, not from India, which gives it its Western credentials.

              That's like calling spaghetti an American dish because it was introduced to someone by an American. Anyhow, my point is that it doesn't really matter what we think, as Japanese will continue to consider curry "western", even though it's not, and Americans will continue to think fortune cookies are Chinese, which they aren't. Meh.

              Disclaimer: I'm not a Japanophile. I've just watched a lot of anime.

            • by Rakarra ( 112805 )

              Japanese curry is an import from the UK, not from India, which gives it its Western credentials.

              I see a lot of "Vermont Curry." Until going through Japanese curry options, I had no idea that Vermont was such a curry hotspot and originator!

        • General Tso's chicken is about as Chinese as KFC.

          Most Americanized Chinese food is terrible. Even if you go to an authentic family-run Chinese restaurant, they will often have a separate menu for non-Chinese, with extra starch, grease, salt, and sugar, since they assume that is what you want. You have to specifically ask for the "Chinese menu". Just say "Qing gei wo zhongwen caidan". Oh, and the menu will be in Chinese, so you will need to learn to read hanzi.

          • by TheSync ( 5291 )

            I ordered the poached whole frog once from the Chinese menu. I went back to sweet & sour chicken real fast!

      • It's North American actually.
      • mega-uber-whoosh

    • by Ogive17 ( 691899 )
      Start mentioning the Senkaku islands if you want to make a splash
  • by resfilter ( 960880 ) on Tuesday November 15, 2016 @11:31AM (#53289771)

    From the press release, the affected phones have the following services installed:

        com.adups.fota.sysoper
        com.adups.fota

    I'd probably check your phone to ensure those don't exist. ... And it sends data to the following domains, if ya wanted to firewall or sniff it or whatever:

        bigdata.adups.com (primary)
        bigdata.adsunflower.com
        bigdata.adfuture.cn
        bigdata.advmob.cn

    • by Anonymous Coward

      From the press release, the affected phones have the following services installed:

      com.adups.fota.sysoper

      com.adups.fota

      I'd probably check your phone to ensure those don't exist. ... And it sends data to the following domains, if ya wanted to firewall or sniff it or whatever:

      bigdata.adups.com (primary)

      bigdata.adsunflower.com

      bigdata.adfuture.cn

      bigdata.advmob.cn

      How about carpet bombing the servers you just listed? It would most likely bring down the core of the Chinese internet. We can teach the Chinese how to play "Ping" pong with a good concerted dos session I am sure. While were at it we could really throw a monkey wrench into the jerks in the states that wrote the crapware in the first place. Adware on commercial products is one thing but hiding it should be punished with an equal dose of poison. Hell even Microsoft does not try to hide adware in the system in

    • Note: checking your running services has gotten harder in Marshmallow. Here's a guide: http://www.howtogeek.com/25830... [howtogeek.com]
  • In Soviet America, Chinese chairman spies you!

  • Thanks Google (Score:1, Insightful)

    This is on Google. They need to get a grip on Android.
    • wrong, on the phone manufacturer who installed evil software. the OS is irrelevant, can be done with any OS

  • I checked the owning subnet, and found that I had already blocked the entire allocation for SSH abuse. Seems there are multiple bad actors in that part of the world.
  • It's not "theoretical" anymore, Mr. Comey

  • Android collects and sends text messages to state actors much better than that fucking overpriced hipster shit that Apple sells. Tak that - Apple Fanbois!
  • Nowadays "advertising information" is the new biometrics. Or, if you will, meta-biometrics. Its already been reported that it takes only 3 pieces of user preference data to uniquely identify most people. Get used to it. Resistance is Futile. If it isn't already, your every move on the internet is being tracked, indexed, cross-referenced and added to your "dossier". End of story.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...