Skip to main content

Someone in China could be reading your texts

John Bacon   | Paste BN

That cheap Android phone you are using could be secretly relaying texts and other information to a server in China, a tech security firm says.

The firm, Kryptowire, says it has found tens of thousands of Android phones, many inexpensive and many pre-paid, that transmit information including "the full body of text messages, contact lists, call history with full telephone numbers" along with security details related to the phones.

The phones Kryptowire studied included popular models such as the BLU R1 HD that sell for as little as $50 from Amazon and Best Buy. The bug has since been removed from BLU Products phones, and "the affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information," the company said on its website.

It's not clear how many U.S. phones might still contain the bug, however.

"The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge," Kryptowire said in a statement. "The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai."

Texts were transmitted back to China every 72 hours. Personal information was transmitted every 24 hours. It's not clear what someone is Shanghai is doing with all that information — advertisers would consider it useful, but so could Chinese intelligence.

While no phones are inherently secure, very cheap phones are more at risk, said Mike Janke, co-founder and chair of Silent Circle, which sells private and encrypted mobile phones, software applications and communication management services.

“There’s not much inspection with this type of phone," he said. "No one’s doing VPN analytics on it. If there were, a rogue server sending all your data back to China would pop up immediately. So it’s low-hanging fruit,” he said.

The software company that wrote the code says it's all just a big misunderstanding.

A lawyer for Shanghai Adups Technology Company — which claims to provide 700 million phones, cars and other smart devices — told the New York Times the software was designed to help a Chinese phone manufacturer monitor behavior of its users and was not intended for U.S. phones.

“This is a private company that made a mistake,” Lily Lim, a lawyer in Palo Alto, Calif., who represents Adups, told the Times.

Janke doesn't buy that claim.

“There is just no way, shape or form that anybody makes a mistake grabbing all texts from a device. There’s not much advertising value in taking all of those texts,” he said.

Facebook Twitter Email