Security firm Kryptowire has announced that it is has discovered several models of budget Android phones containing pre-installed monitoring software have been collecting sensitive personal data about their users and transmitted this information to third-party servers based in China without informing or obtaining consent from the users.
The affected smartphones included the BLU R1 HD.
Kryptowire said that the data being sent to the servers include full text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).
The firm also said that the firmware was able to target specific users and text messages matching remotely defined keywords.
According to Kryptowire, the firmware also collected and transmitted information about the use of apps installed on the device. It also bypassed the Android permission model, executed remote commands with escalated system privileges and was able to remotely reprogram the devices.
The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other personally identifiable information data.
Kryptowire vice president of product Tom Karygiannis told The Verge that it “isn’t a vulnerability, it’s a feature”.
The company explained that the firmware that shipped with the mobile devices – and subsequent updates – allowed for the remote installation of applications without users' consent. It also let the company responsible for the software access fine-grained device location information in some versions of the software.
According to Kryptowire, the core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system.
It was found that Chinese company Shanghai Adups Technology Company is responsible for the software but it is not yet known whether it is an attempt at state surveillance or if the information is being gathered for advertising purposes.
The discovery highlights the need for a secure mobile device management system, particularly for businesses operating a Bring Your Own Device (BYOD) policy.