In the past year or so, Android vulnerabilities affecting nearly a billion users have been discovered and Google responded by issuing monthly updates. However, manufacturers might make things difficult for the search giant as some of them are reportedly adding backdoors that ping back data to servers in China.
According to research published by security firm Kryptowire, some Android smartphones from US based smartphone maker, BLU, were found to contain a pre-loaded application developed by Shanghai Adups Technology, which transmitted user data such as text messages, location information and call logs to Chinese servers every 72 hours.
Adups website mentions that it is one of the largest firmware-over-the-air (FOTA) provider with over 200 million smartphones using its update system. The user base of its monitoring application is close to 700 million. It is unclear whether the company is using the transmitted data for advertising purposes or state sponsored surveillance, but collecting such data is a matter of concern for all users.
Kryptowire managed to get a statement from BLU, which is one of the manufacturers found to be shipping the program on its devices. The company said,
BLU Products has identified and has quickly removed a recent security issue caused by a third party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices.
According to a representative for Adups in the US, the software was accidentally shipped on the BLU smartphones and was intended only for use in China to flag spammers. Even though BLU has addressed the issue for now, users buying budget smartphones should be aware of the risks involved as these devices rarely receive any updates as well. Also, most BLU phones are made by Chinese OEMs, which can contain such backdoors if not checked thoroughly by quality assurance teams.
Source: Kryptowire, The New York Times via The Verge