According to a report released by security firm Kryptowire, certain commercial firmware preloaded on a number of Android powered mobile devices released in the United States smartphone market are actually transmitting personal information to a third party in China. The personal information being sent consisted of mobile users’ contacts lists, phone call logs, text messages, data on app usage, and even location information. Perhaps one of the most pressing questions right now is which devices exactly have this firmware preinstalled? Kryptowire has not provided a full list, but one of the affected handsets is said to the BLU R1 HD, which is easily available from most retail outlets for $50.
Kryptowire was able to trace the personal data transmissions to a Chinese company called Shanghai Adups Technology, which specializes in producing Firmware Over The Air (FOTA) update software systems. According to Shanghai Adups, the firmware was installed erroneously on a number of devices released in America. Moreover, the version that had been preloaded in US devices was supposed to be created for a Chinese original equipment manufacturer that sells smartphone devices in China.
As indicated in its website, Shanghai Adups has over 700 million active users around the world, capturing a market share of over 70 percent across more than 200 countries. Its FOTA update software systems have been integrated into over 400 wireless carriers, semiconductor suppliers, and tech manufacturers, which means that its firmware is not only used in mobile devices, but also possibly in wearable devices, television sets, and automobiles.
As reported by the New York Times, Shanghai Adups originally designed the firmware to ward off spam texts while at the same time, serving as support for customer service. The company is saying now that ever since Kryptowire has notified it about the firmware, it has deleted all information accidentally collected. But it is no comfort knowing that by the time the firmware was detected, some 120,000 handsets have already been compromised. It did not help that because the firmware was preloaded in devices, it had managed to evade detection by antivirus software, which generally go for apps that are not originally installed on devices.
Indeed, this scenario is a lot trickier because it involves the supply chain. Manufacturers generally trust their suppliers to not be involved in any monkey business, and when something fishy does go on there, the customers are often the most affected. In this case, their personal data is being transmitted without their knowledge and permission.
