mercredi 16 novembre 2016

Report – Some Android phones transmit SMS, Call Logs, and Location to a Chinese Server

Heightened concerns over leakage of personally identifiable information has led to many electronics manufacturers to implement tightened security measures in their products. In contrast, the world of digital advertising has became more pervasive over time, in some parts due to better data mining algorithms. These two facts have proven to be a conundrum for many software companies: how can they balance the consumer need for choosing who gets access to what data with the business need to study their user base.

Some companies such as Google opt to provide a compelling, but free, product for users in the hopes that the company can improve their search, advertising, or AI algorithms. While the likes of Google may pull more user data than some would prefer, the products they offer are good enough for most users to not really care about the privacy they're giving up. On the other hand, some companies opt to data mine users without explicit user consent or disclosure – instead assuming that installation or purchasing of a product is implying consent for data mining.

You may remember the controversy surrounding CarrierIQ, a mobile diagnostic software suite that came pre-installed on many smartphones sold by carriers within the United States. CarrierIQ was so ubiquitous, and the backlash so great, that eventually several high-ranking members of the U.S. government became involved, and eventually the widespread use of CarrierIQ was discontinued around early 2012. But CarrierIQ is just one high profile example of data mining software that happened to catch national attention. A report out by security firm KryptoWire indicates that a new, even more intrusive data mining software suite is pre-installed on many Android smartphones including the popular BLU R1 HD sold on Amazon.


Adups – Carrier IQ v2?

A Chinese technology firm called Shanghai Adups Technology Co. Ltd. is responsible for the creation of a software package that is said to be pre-installed on many Android devices. Adups boasts of reaching over 700 million users and claims a market share of over 70% across 150 countries. The firm claims to have created firmware that is integrated in products from over 400 telecoms, semiconductor manufacturers, and device OEMs of all stripes. This seemingly impressive list of clientele use software from Adups to accomplish a myriad of data collection on users, KryptoWire alleges.

Information that is alleged to be collected and transmitted to a server belonging to Adups in Shanghai include the following: "full-body of text messages, contact lists, call history with full telephone numbers, and unique device identifiers including the IMSI and IMEI." Adups' firmware is said to be able to match keyword patterns in user data and even have the ability to bypass Android's permission model to execute commands with superuser privileges. Furthermore, Adups is alleged to even collect device location information. All of this data is collected periodically in the background without user knowledge or consent, and though the transmitted information is sent encrypted, the amount of information collected is troubling.

adups_security_analysis_figure1

Source: KryptoWire

 

 

KryptoWire discovered that this software package came installed with an OTA to affected devices that was managed by Adups. The security firm has already informed Google, Amazon, Adups, and BLU of their findings, and is reaching out to OEMs who believe their devices may be affected. BLU has already responded to the report with a statement that the affected third-party application installed by Adups has already been updated to no longer transmit all of this information. Though we have yet to see disclosure on other affected devices, according to Adups' website, their software is also installed on unspecified ZTE and Huawei products as well.

Source: KryptoWire



from xda-developers http://ift.tt/2f0is7c
via IFTTT

Aucun commentaire:

Enregistrer un commentaire