Low budget Android phones in the US have found to be sending user data to China, without the permission of the user. The data being transmitted included the apps installed on the device, what order the apps were used, diagnostic data, lists of files, the call logs, the numbers of the people the user had messaged, and the content of the text messages sent by the user. In some instances, the location information of the user was also transmitted. The data was being sent to Shanghai Adups Technology Limited.
Anti Virus software was not detecting the secret transmissions, because they normally assume that the firmware installed on the device by the manufacturers are safe. An expert user would have been able to detect the transmissions, but not a regular user. The compromised firmware was able to remotely reprogram the devices, bypass existing Android permissions, and allow for remote control of the device. The firmware essentially acted as a backdoor to devices.
The secret transmissions were discovered by Kryptowire, a company started by the US Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS). Google, Amazon, Adups and Blu were all informed of the transmissions. Permission from the user was not taken for transmitting the data, and the data was itself packed in multiple layers of encryption.
Blue representatives confirmed to the New York Times that the firmware was not meant for devices used in the US, and that it had acted swiftly to resolve the issue. Blu smartphones in the market are no longer affected, and are not beaming back data to China any more. Additionally, Blu representatives re-assured users that all data collected so far has been destroyed. Adups, Google, Blu or Kryptowire have not revealed a complete list of affected models.
In response to the disclosure by Kryptowire, Adups released a statement in response, claiming that the technology used in the firmware was for identifying and flagging junk text messages. The firmware was inadvertently shipped with the Blu devices. Adups has been cooperating with Blu and Google to make sure the data is not collected again. The data was collected for only a short period of time, and was not shared with anyone else.