120,000 US smartphones found to send private data back to China; millions of Chinese presumably still affected

Posted on Nov 16, 2016 by Caleb Chen
smartphone backdoor

A secret backdoor in some Android smartphones has been discovered by Kryptowire, an American security firm. Kryptowire announced their findings in a press release early Tuesday morning. The backdoor was made by Shanghainese company AdUps at the behest of an unnamed Chinese phone manufacturer. The backdoor is located in the smartphone’s firmware and was discovered on phones sold by American phone manufacturer BLU Products. BLU Products confirmed that 120,000 of their phones were affected. AdUps’ software is used on 700 million phones around the world, and it is still unclear if all of them are affected.

All this exists because a still unnamed Chinese manufacturer wanted the ability to receive private information on device users. Adups claims that the Chinese manufacturer was doing so in order to provide better customer support. Realistically, this is more likely an instance of a domestic mass surveillance program that accidentally spilled overseas. China has been cracking down on open internet use for some time, and has recently passed new cybersecurity laws that force ISPs to store IP address logs for 6 months at least.

Smartphones from BLU Products sent private information to China

If you used any of these phones, the Chinese government has likely seen your text messages. According to BLU Products, the list of affected American phones are as follows:

  • R1 HD
  • Energy X Plus 2
  • Studio Touch
  • Advance 4.0 L2
  • Neo XL
  • Energy Diamond

Don’t worry though, AdUps has promised that all the data siphoned from 120,000 American smartphones has since been deleted from their server in Shanghai. No word on whether the Chinese government’s copy in Beijing has been deleted. Additionally, AdUps software is still on Huawei and ZTE phones in China.

Kryptowire has contacted the Department of Homeland Security (DHS) with their findings; the DHS released a statement stating that it “was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies.”

The affected American supplier, BLU Products, claims that the software has since been patched. BLU Product’s claims are backed up by a statement from Google officials, which revealed that Google had long since asked AdUps to remove such software from any Android phone with access to the Google Play Store – the extent of Google’s legal reach. This also confirms that the AdUps software is still running in China, likely at the behest of the ruling party.