N.Y. Times: Back door in certain Android phones sends data to Chinese servers (UPDATE)

UPDATE: We have received official statements from ZTE and Huawei. "We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected."-ZTE USA

"Huawei takes our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them."-Huawei

A story in the New York Times today reveals that some smartphones contain a secret backdoor that sends data to servers located in China. Pre-installed software on certain Android powered handsets kept track of where users went to, the phone calls they made and received, and the content of text messages that were sent. The number of devices possibly involved in sending this information to China is extremely high.

The company that wrote the software, Shanghai Adups Technology Company, says that its code runs on more than 700 million smart devices including phones and cars. The software reportedly transmitted information to China every 72 hours; according to the newspaper, those most affected are international smartphone users, and those who employ pre-paid or disposable phones.

The Times says that it isn't clear whether the collection of data is being done for advertising purposes, or for espionage reasons. In the U.S., Miami-based BLU said that the data mining software was discovered on 120,000 of its phones. The company says that it has eliminated the feature with a software update. Data sent to the Chinese servers include full text messages, contact lists, call logs and location data.

In explaining its presence on BLU phones to the company's executives, Adups said that the software was designed to help Chinese phone manufacturers track the behavior of users and was not meant to be included on U.S. phones. Adups website says that its software is found on handsets manufactured by Huawei and ZTE. Both are based in China, and Huawei is currently the third largest smartphone manufacturer in the world after Samsung and Apple.

While ZTE and Huawei both sell handsets in the U.S., it was a BLU R1 HD model that helped a security firm named Kryptowire uncover the back door. A company researcher purchased the BLU handset for an overseas trip. While setting up the phone, he realized that it was sending text messages to a server in Shanghai that was registered to Adups. Kryptowire contacted the U.S. government about its findings.

BLU CEO Samuel Ohev-Zion says that the company had no knowledge of the Adups software and says that no BLU handset runs the software today. Adups told BLU that all of the data taken from BLU customers was destroyed.

BLU R1 HD

source: NYTimes