Cheap phones are coming at the price of your privacy, security analysts discovered.
At $60, the Blu R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China.
Shanghai Adups Technology, the group behind the spying software on the Blu R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same “mistake” on other phones.
At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups’ software is still sending a device’s data to the company’s server in Shanghai without alerting people. But now, it’s being more secretive about it.
“They replaced them with nicer versions,” Ryan Johnson, a research engineer and co-founder at Kryptowire, said. “I have captured the network traffic of them using the command and control channel when they did it.”
An Adups spokeswoman said that the company had resolved the issues in 2016 and that the issues “are not existing anymore.”
Kryptowire said it has observed Adups sending data without telling users on at least three different phones.
This year’s Black Hat conference comes against the backdrop of a year’s worth of reports about Russian hacking and its intrusion into the 2016 presidential race, as well as news in the last few months about ransomware attacks that hijack people’s computers, to be unlocked (if you’re lucky) for a fee.
People have enough to worry about when it comes to privacy on their personal devices. Between government surveillance and security vulnerabilities, preinstalled software on the phone itself is an unexpected breach of both trust and privacy for millions of owners who are just looking for an inexpensive phone.
‘A huge invasion of privacy’
Having access to the command and control channel — a communications route between your device and a server — allowed Adups to execute commands as if it’s the user, meaning it could also install apps, take screenshots, record the screen, make calls and wipe devices without needing permission.
“It does seem like a huge invasion of privacy,” Johnson said.
Kryptowire looked at more than 20 pieces of firmware from low-end Android devices, all which had vulnerabilities that allowed for spyware apps and all of which had a MediaTek chipset. The chipset always came with a preinstalled app called MTKLogger, which allowed for surveillance of data like your browsing history and GPS location if it were hijacked.
MediaTek said it resolved the issue in November, but researchers at Kryptowire found out last week that the Blu Advance 5.0 still ships with a vulnerable version of the app. The phone, which is the third best-selling phone on Amazon, does not have a firmware update available to stop a potential exploit, Johnson said.
It works through something called privilege escalation, which gives advanced permissions to certain apps far beyond what you would like it to have. Kryptowire has not found any cases yet in which the MTKLogger has been hijacked, but the vulnerability still exists.
Kryptowire originally discovered Adups’ spying nature last October. After it had been revealed, Adups removed its data tracking on devices like the Blu R1 HD and the Blu Life One X2, two phones that are popular on Amazon for their cheap prices. For those two devices, Adups stopped sending text message and call logs to China since.
Blu did not respond to requests for comment.
A widespread problem
Johnson only found Adups’ secret data funneling to China because it was the top-selling phone on Amazon — but the issue remains prevalent on low-profile devices, he said. In May, he purchased a Blu Grand M from Best Buy, which goes for between $60 and $75.
Six months after Adups said it made a mistake with its data tracking, Johnson discovered that it was still happening on the Blu Grand M. In May, he found the phone was sending data to China containing a list of apps installed, the apps used, unique phone identifiers like the MAC address and IMEI, the phone number, and cell phone tower ID.
It doesn’t track your phone’s GPS, but cell phone tower data is close enough to be admissible as evidence in murder trials and has raised massive debates on digital privacy.
“It can generally locate a person, presuming they’re in an urban area,” Johnson said.
Adups’ spying intensity varies based on the phone, but it comes preinstalled on up to 700 million devices, including cars and other connected devices. Some of the more aggressive spying would send a person’s browsing history and bookmarks.
Johnson said he hasn’t found the spyware on any phones that cost more than $300, as Adups is mostly installed on cheaper devices. It’s not only on Blu devices, as Johnson in May found data exfiltration on the Cubot X16S as well.
The Chinese phone, which sells for between $90 and $110, was sending call logs, browser history and location data behind users’ backs. Cubot did not respond to requests for comment.
“It seems pretty widespread around lower-end phones,” Johnson said.
Johnson tested the Cubot X16S’s software again on Monday, and found that Adups had quietly removed the backdoor app on the device — shortly after CNET reached out to the company.
It’s still unclear what happens with the data once it’s on servers in China. When Johnson contacted Adups, the company said it would just delete the data. Kryptowire was able to track the data to where it ended up, but not what was done with it.