Smartphone makers Huawei and ZTE who are part owned by the Chinese Government, have both denied that their devices ever had the controversial Adups software that sends personal information back to Chinese servers, installed on their devices in the USA, however neither Company has issued a statement regarding their phones being sold in Australia.
According, to reliable sources Telstra is extremly concerned, after it was revealed by Kryptowire a US security Company that both ZTE and Huewei phones were sending confidential information back to Chinese based servers every72 hours.
The big question now is who do you believe Kryptowire or the Chinese manufacturers.
So, who is Kryptowire?
This is an organisation that was jumpstarted by the US, Defence Advanced Research Projects Agency (DARPA) and the US Department of Homeland Security (DHS S&T).
They are adamant that several models of Android mobile devices contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users’ consent.
Also, confirming that the questionable software was on ZTE and Huewei devices and that “International” models contained Adups software is no other that the US lawyer representing Adups.
According, to its website, Adups provides software to two of the largest mobile phone manufacturers in the world, ZTE and Huawei.
“This is a private company that made a mistake,” said Lily Lim, a lawyer who represents Adups.
One observer told ChannelNews that they did not believe the statements being made by both ZTE and Huewei were accurate. “How would you know, Chinese Companies lie”.
Back in July 2016 Huawei in a bid to jack up the capabilities of their P9 smartphone the Chinese Company posted a portrait to show what you could do with the Leica-engineered dual-cam P9 smartphone. There’s just one problem. the photo was taken with a Canon 5D Mark III and a $2,100 lens.
The gaff was posted (and then quickly removed) from Huawei’s Google+ page after Android Police posted the attempt to mislead consumers. Like Flickr, Google+ displays exif data for an image under “Photo Details.” revealed that Huawei were lying.
The security Company Kryptowire, has said that the devices made by ZTE and Huewei were being sold by Amazon and Best Buy in Australia Huawei phones are sold by both JB Hi Fi and Harvey Norman as well as Optus and Vodafone.
A Kryptowire document seen by ChannelNews and believed to be part of the document supplied to Homeland Security in the USA said “These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)”.
The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices”.
The document went on to say that the firmware that is difficult to detect was shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.
In Australia Optus sell both Huewei and ZTE devices.
When Optus PR executives were contacted, they said “I’d recommend directing any questions to Huawei’s media team. This isn’t a matter for Optus to comment on”.
Huawei who despite being given over 12 hours to comment so far not issued any statement to SmartHouse.
This is a Company who has a questionable record in Australia. They were recently dumped by Telstra the Australian Federal Government has also banned the Company from being a supplier due to security concerns.
ZTE did issue an email to ChannelNews pointing to the US statement that claimed that no U.S. ZTE devices “have ever had the Adups software installed on them, and will not.” ZTE followed this statement up by pointing out that they take security and privacy very seriously and that it is and always will be a leading priority for them.
At this stage ZTE have not said whether Australian devices contain the Adups software.
Kryptowire claim that their findings which the US Government are taking seriously are based on both code and network analysis of the firmware.
The user and device information was collected automatically and transmitted periodically without the users’ consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai.
This software and behaviour bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.
“All of the data collection and transmission capabilities we identified were supported by two system applications that cannot be disabled by the end user. These system applications have the following package names:
com.adups.fota.sysoper
com.adups.fota
The data collection and transmission capability is spread across different applications and files. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data. The information was transmitted to the following back-end server domains:
bigdata.adups.com (primary)
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn
All of the above domains resolved to a common IP address: 221.228.214.101 that belongs to the Adups company. During our analysis, bigdata.adups.com was the domain that received the majority of the information whereas rebootv5.adsunflower.com with IP address: 61.160.47.15 was the domain that can issue remote commands with elevated privileges to the mobile devices.
Kryptowire also identified other capabilities in their document.
The issue for Telstra is that the bulk of their Telstra branded smartphones are made by ZTE.
While Telstra has not officially commented a high level, source said “We are concerned, we have requested information from ZTE and we are still waiting for a response. Our engineers have started to look at the devices but as the US Company has identified it is hard to identify where the software is located”.
In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries that does include Australia.
The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.
Kryptowire said “As smartphones are ubiquitous and, in many cases, a business necessity, our findings underscore the need for more transparency at every stage of the supply chain and increased consumer awareness. Kryptowire has developed tools aimed at detecting non-compliant software that can violate privacy and security policies that are not necessarily classified as malware.
In many cases, these applications are benign, but exhibit behaviour non-compliant with organizational, industry, and government policies”.
Sam Skontos, VP and Regional MD South-east Asia and Pacific for Alcatel Australia’s #3 mobile brand said that Alcatel and its parent company, TCT Mobile, has no relationship with Adups and has no such firmware on any of its devices. Further, Alcatel/TCT Mobile conducts their Firmware Over The Air (FOTA) updates through its own in-house servers, not through third party suppliers.
He added “It is a sad day when we are talking about spyware on devices and the fact that some global companies think it’s OK to take security and privacy away from consumers”.
“This is just another example of how some Chinese manufacturers enter markets, do not disclose this type of activity to anyone including industry stakeholders, show no regard whatsoever for consumer security and privacy laws, until of course they are caught out. Firmware updates may be issued but the damage has been done, and questions need to be asked about why this was on their handsets in the first place”
He added “It proves that consumers are right to be ever-vigilant about their personal information. It’s also an important opportunity for consumers to ask questions, and for all industry stakeholders to do more to ensure consumer privacy is protected above all else. More questions need to be asked, and when these issues are found out, more needs to be done to hold to account companies who deceive consumers”.
He warned “Do not tar all Chinese companies with the same brush. Alcatel has a significant local presence and works hard to localise every single device. You will not find any such spyware on our devices because we respect our customers and the right to strictly protect their privacy and security.
We have seen around the world the potential for everyday consumers to make a difference, from world politics to more everyday matters. They can send a clear message to the companies conducting their business like this. Consumers should be worried, but they should also be able to more easily identify the manufacturer of their handset, which may be different to the consumer branding on the handset itself.
The responses so far from those companies named in global media reports should only worry consumers and authorities more.”
