Firmware Secretly Sent Text, Call Data On Android Users To China
Source: Dark Reading
Several Android smartphone models sold in the US, including via major online retailers like Amazon and BestBuy, had firmware in them that surreptitiously collected and sent detailed personally identifiable information on users and devices to a server based in China.
An employee working for DARPA-funded security firm Kryptowire stumbled upon the issue when using a burner phone from Miami-based BLU Products he had purchased for a trip overseas. When setting up the device, the Kryptowire employee noticed some strange network activity and started poking around.
The investigation led to the discovery of firmware on the phone designed to actively transmit device identifying data and user information, including the complete content of text messages, full contact lists, call history data, and other information to a server based in Shanghai.
The firmware bypassed Androids permission model and also collected and transmitted information on the use of applications installed on the device, Kryptowire announced in an alert this week. It executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices, the security firm said.
<snip>
Read more: http://www.darkreading.com/mobile/firmware-secretly-sent-text-call-data-on-android-users-to-china/d/d-id/1327498
haele
(12,650 posts)And the company just didn't notice the unusually huge server activity and storage requirements for a monitoring system that was built at the request for maybe 25 - 50 users. Totally innocent mistake - and a bit of incompetence, as hundreds of thousands(if not a million or more) of dollars would be wasted on the required upgrade and maintenance to support the tracking of all those additional thousands of phone users. All due to an apparent lack of system oversight.
What was their sysadmin doing, and why wasn't s/he fired along with someone high up in manufacturing and sales within the first month - since the company wasn't planning on doing more than making a specific firmware change to support a request of a couple dozen wealthy users to easily track and winnow out spam and other junk communications?
Just a mistake? Sure....
Haele
leftyladyfrommo
(18,868 posts)I don't put anything on my phone that is personal. I don't email anything that the whole world can't see.