Chinese phone makers Huawei and ZTE, who are Telstra’s key manufacturing partner for their house brand pre-paid phones, have been caught up in claims that their budget devices are secretly sending user data – including full text messages back to a secret Chinese server.
Huawei who was recently dumped by Telstra and has been banned by the Federal Government over security concerns has not commented on the issue.
Security firm Kryptowire who have a contract with US Homeland Security were the ones who discovered that software installed on some cheap Android phones made by Huawei and ZTE were secretly sending information back to China.
Telstra House Brand Phones are made by ZTE a Company that is part owned by the Chinese Government.
The software, which collects location data and contacts and call history, sends the information to a Chinese company called Shanghai Adups Technology every 72 hours without the owner knowing.
It has been identified on several ZTE and Huawei models of Android phones that cost around $100 -$150 and are sold in Australia.
It’s unclear how many phones have the software installed, but IDC research reveals that it could well affect tens of thousands of phones in Australia where both brands have a significant presence.
In Australia ZTE which is part owned by the Chinese Government manufacture thousands of smartphones for Telstra.
Aside from collecting and sending information, the backdoor could also be used to bypass the phone’s security, allowing another party to control the device.
According to a New York Times report, the software was intentionally created and installed on the phones, after Adups was asked to do so by a Chinese manufacturer.
The Times report also claims the backdoor affects “international customers such as in Australia and users of disposable or prepaid phones”.
A lawyer for Adups, which says its software runs on more than 700 million devices, told the Times: “This is a private company that made a mistake.”
It remains unclear what the user information has been used for, though there are concerns over whether it has supported surveillance efforts.
Adups has not confirmed which phones are affected by the software.
ChannelNews strongly suggests that consumers concerned should contact their carrier or Huawei or ZTE directly as there is every possibility that Chinese authorities are tracking Chinese nationals living or visiting Australia via their mobile devices.
We have asked Huawei Australia for a comment, but at this stage the Chinese Company who has also been banned by the US government have not commented.
Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire.
“Even if you wanted to, you wouldn’t have known about it,” he said.
At the heart of the issue is a special type of software, known as firmware, that tells phones how to operate. Adups provides the code that lets companies remotely update their firmware, an important function that is largely unseen by users. Normally, when a phone manufacturer updates its firmware, it tells customers what it is doing and whether it will use any personal information. Even if that is disclosed in long legal disclosures that customers routinely ignore, it is at least disclosed. That did not happen with the Adups software, Kryptowire said.
According to its website, Adups provides software to two of the largest mobile phone manufacturers in the world, ZTE and Huawei. Both are based in China.
Ms. Lim said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.
A Google official said the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store.
That would not include devices in China, where hundreds of millions of people use Android phones but where Google does not operate because of censorship concerns.
Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.”
Ms. Lim said she did not know how customers could determine whether they were affected.
Retailers who sell Huawei products could start pulling their devices from shelves if the matter is not resolved. “If customers are concerned we may have to act” one retailer said.