Major security risk for some Android phones: they can send customer texts and info to China.

http://www.telegraph.co.uk/technology/2016/11/16/cheap-android-phones-send-owners-text-messages-and-location-data/

Owners of cheap smartphones could have been the victims of an unprecedented privacy intrusion after security researchers found that some low-cost Android devices have been regularly sending personal information, including the contents of messages and location, to China.

One of the most extensive backdoors found in a device to date, the software that comes installed on several models of Android phones has been allowing the smartphones to collect the sensitive information from users and send it to a Chinese company without the owner knowing.

The problem affects a number of phones that cost around £50 and are for sale at major retailers, including Amazon and BestBuy in the US, according to the researchers at Kryptowire, the mobile phone security company that discovered the privacy issue. The software in question is installed on phones Blu Products. The manufacturer sells phones in the UK, although it is unclear how widespread the software is used.

SNIP

The sent data included the contents of text messages, location information, contacts and call history with phone numbers, installed apps, and identifiable information about the handset. The backdoor, which had been highlighted by other researchers, could also be used to bypass the phone's security to control and reprogram the device.

SNIP

http://www.kryptowire.com/adups_security_analysis.html

Kryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD. These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.

Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.