back to article Security bods find Android phoning home. Home being China

Security researchers have uncovered a secret backdoor in Android phones that sends almost all personally identifiable information to servers based in China. The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide, including phones available in the …

  1. Anonymous Coward
    Anonymous Coward

    Sniff sniff

    I smell another transgression by the Chinese Government. It would be a breach of civil rights if they had any to begin with...

    1. imanidiot Silver badge

      Re: Sniff sniff

      Jup, it's positively rank in here

      1. Destroy All Monsters Silver badge

        Re: Sniff sniff

        This article needs to be illustrated with Gloriously Smug Chinese Cartoon Girl!

    2. Anonymous Coward
      Anonymous Coward

      Don't be Evil

      [unless your bottom line depends upon it]

    3. Cem Ayin
      Facepalm

      Re: Sniff sniff

      "I smell another transgression by the Chinese Government."

      Sending millions of users' digital family silver to a single well-known server, apparently without certificate pinning? Using plain old DES in the mix? I know one should never underrate the power of human stupidity, but frankly I'd expect Chinese surveillance agencies to make a better job of it. Actually, I think even North-Corea would do a better job these days...

      1. Anonymous Coward
        Anonymous Coward

        Re: Sniff sniff

        >North-Corea

        North Korea.

    4. Antron Argaiv Silver badge
      Thumb Up

      Re: Sniff sniff

      I'm beginning to think that trusting *any* software coming out of China is inadvisable.

      Or, maybe, we should take the advice of President Reagan, and "trust, but verify".

      // no spy icon?

      1. Unicornpiss

        "Trust but verify"

        I always liked the old adage: "Trust in God but lock your car." or for those of us that are atheists, "Trust in your fellow man but lock your car."

      2. fidodogbreath

        Re: Sniff sniff

        I'm beginning to think that trusting *any* software coming out of China is inadvisable.

        It's hard to avoid, since so many computers, phones and other electronics are made there. You have no idea what might be tucked away in UEFI, or the firmware of your hard drive, or your phone's CPU.

        I have a sinking feeling that when World War 3 starts, every Chinese-made computer, router, phone, etc. in the west will shut down.

        1. Lomax
          Mushroom

          Re: Sniff sniff

          Or as I often say; we will know that world war III has begun when our fighter pilots press the "Start(tm)" button in their cockpit and nothing happens.

  2. Herby

    All your base...

    ...belong to us.

    Enough said.

    1. Anonymous Coward
      Anonymous Coward

      Re: All your base...

      No...no not enough said its time to launch off every zig.

      Then we need someone to set us up the bomb.

      Move zig bitches.

      The prophecy was wrong, its not the year 2101 we need to worry about. Its 2016.

  3. Youngone Silver badge

    Questions

    Do I read this in conjunction with the China v Apple story? Are they connected?

    Also, if the spyware in question might be on 700 million phones, why has it only been discovered on one model of BLU phone?

    1. Anonymous Coward
      Anonymous Coward

      Re: Questions

      700 million is the number of phones any of Adups software is installed on, not (necessarily) the number this particular spyware is on.

  4. Sorry that handle is already taken. Silver badge

    So...

    How, or when, do we find out which devices are infected?

    1. Mr Flibble
      Big Brother

      Re: So...

      If you gain root access, I would expect that you'll be able to see the files in one of the /data/app* directories. I'd not like to say for certain, though.

      1. S4qFBxkFFg

        Re: So...

        These things vary by device, also check:

        /system/app/

        /system/priv-app/

        Look for things like "FWUpgrade" and "FWUpgradeProvider".

    2. Anonymous Coward
      Anonymous Coward

      Re: So...

      "How, or when, do we find out which devices are infected?"

      If they run any sort of OS from Google then they are infected!

      1. Sorry that handle is already taken. Silver badge

        Re: So...

        If they run any sort of OS from Google then they are infected!

        Oh.

        Can you help me install Windows on my phone?

      2. Lomax
        Alert

        Re: So...

        I think this is correct. In fact my guess is that any given Android device is likely to have multiple backdoors and leakers, some government sponsored, some built in by Google from the start, some from chip manufacturers, some from ad/spamware app makers, some from criminal networks - possibly something put there by your spouse and/or your boss as well. Then you have the various wire taps on the mobile network, and on the Internet itself. Remember that Huawei make most of the infrastructure hardware used in UK mobile networks (and most of our home network routers as well), and that Huawei ≈ Chinese govt. Remember that our own government runs (not so secret any more) massive bulk data collection and analysis programmes. I think it's safe to assume that every call you make, every text you send, every HTTP request you make, is seen, logged and analysed by multiple parties, some more benign than others. If you think this sounds overly paranoid then you haven't been paying attention.

        And as any Cavendish grower will tell you: a big part of the problem is monoculture.

        1. anonymous boring coward Silver badge

          Re: So...

          "I think this is correct. In fact my guess is that any given Android device is likely to have multiple backdoors and leakers, some government sponsored, some built in by Google from the start, some from chip manufacturers, some from ad/spamware app makers, some from criminal networks - possibly something put there by your spouse and/or your boss as well. "

          No wonder battery life is so poor on Android phones.

          And now Google makes you turn on GPS to get some basic crap working. Let me just enter my location manually FFS! I DON'T WANT 1984 TO ARRIVE YET!

  5. Mr Flibble
    Pirate

    Those host names currently point to 118.193.254.27.

    1. Destroy All Monsters Silver badge

      ...and that is who?

      1. Anonymous Coward
        Facepalm

        Here you go, girly will help you

        https://www.apnic.net , put the numbers in the box at the top, press return and all will be revealed.

        1. Adam 52 Silver badge

          Re: Here you go, girly will help you

          Is there an easy way to find out how it routes there? Via Fort Meade and Cheltenham perchance?

          1. Anonymous Coward
            Anonymous Coward

            Re: Here you go, girly will help you

            traceroute (cli)

            whatroute on macosx

        2. Anonymous Coward
          Anonymous Coward

          Re: Here you go, girly will help you

          "https://www.apnic.net , put the numbers in the box at the top, press return and all will be revealed."

          Its not advisable to take the piss out of other people if you don't even know the simplest solution yourself.

          Go to the command line (know what that is?) and type "whois 118.193.254.27".

          1. Anonymous Coward
            Anonymous Coward

            Re: Here you go, girly will help you

            Well I do know the 'simplest solution' is as I have many years of experience in IT, both permie and a successful contractress.

            As I do not know the posters technical ability, I chose the simplest non technical solution.

            Run along now.

            1. This post has been deleted by its author

            2. Anonymous Coward
              Anonymous Coward

              Re: Here you go, girly will help you

              "contractress."

              No such word.

              "As I do not know the posters technical ability"

              Given they're posting to this site I suspect they're not novices.

              "Run along now."

              You're going to have to work harder at being patronising.

              1. Anonymous Coward
                Anonymous Coward

                Re: Here you go, girly will help you

                There is a lovely word - 'Prat'.

                While at it - please open the Oxford dictionary on the page containing 'misogyny' and read ...

              2. FIA Silver badge

                Re: Here you go, girly will help you

                "contractress."

                No such word.

                I don't think language works how you seem to think it does. (If it did you could have at least constructed a full sentence).

                "As I do not know the posters technical ability"

                Given they're posting to this site I suspect they're not novices.

                Really? REALLY?? You quite often get posters on here who've clearly not even read the article they're commenting on. All you can be sure of is they can possibly manage to use some technical equipment without electrocution; or dictate to their carer.

                "Run along now."

                You're going to have to work harder at being patronising.

                Oh, I dunno; I laughed out loud at that bit. Condescension to a tee. (I believe someone younger than myself might remark that 'you got served').

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Here you go, girly will help you

                  "I don't think language works how you seem to think it does. (If it did you could have at least constructed a full sentence)."

                  You can't just make up a word and expect it to suddenly appear in the OED or for others not to pick you up on it.

                  "Really? REALLY??"

                  Yes really. You think someone who normally is googling Towie is suddenly going to reply to an article on an exploit in android phones?

                  "Oh, I dunno; I laughed out loud at that bit. Condescension to a tee. (I believe someone younger than myself might remark that 'you got served')."

                  If you think thats clever condescension then clearly you've never been on usenet. It would rate a 2/10 at best. The only thing that got served was "her" (I doubt its a she anyway) smart ass on a plate.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Here you go, girly will help you

                    Curious, "I doubt its a she anyway" as to why you would think that? Do you know the poster?

                  2. Sweep

                    Re: Here you go, girly will help you

                    I have very almost no knowledge of IT and I've just replied to an article on an exploit in android phones (I wasn't googling TOWIE though).

                    And what's "googling"? You can't just make up words you know.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Here you go, girly will help you

                      "And what's "googling"? You can't just make up words you know."

                      https://en.wikipedia.org/wiki/Google_(verb)

            3. Rosie Davies

              Re: Here you go, girly will help you

              REAL* sysadmins do not use the command line. Real sysadmins sense the route taken from the spin of the photons flowing throughthe fibre.

              Rosie

              *Robotically Enhanced Advanced Lifeforms for those at the back of the class. Yes Smithers, I'm talking to you.

          2. Brewster's Angle Grinder Silver badge
            Trollface

            Re: Here you go, girly will help you

            >Go to the command line (know what that is?) and type whois 118.193.254.27

            It says: 'whois' is not recognized as an internal or external command, operable program or batch file.

            What do I do now?

            1. Anonymous Coward
              Anonymous Coward

              Re: Here you go, girly will help you

              "What do I do now?"

              Install a proper OS.

            2. VinceH
              Coat

              Re: Here you go, girly will help you

              "It says: 'whois' is not recognized as an internal or external command, operable program or batch file.

              What do I do now?"

              > GO NORTH

      2. David Shaw

        I prefer http://www.infosniper.net, gives you a decent handful of detailed look-ups per day, and a nice map

      3. Anonymous Coward
        Anonymous Coward

        Well done. You got the answer without any exposure or risk to yourself.

        1. Anonymous Coward
          Anonymous Coward

          What 'real OS' are you talking about?

          Linux:

          -bash: whois: command not found

          1. Anonymous Coward
            Anonymous Coward

            >Linux:

            >

            >-bash: whois: command not found

            I suggest you check your $PATH for /usr/bin or /sbin because whois is part of the standard unix/linux networking command set and has been for decades.

            1. Alister

              @boltar

              I suggest you check your $PATH for /usr/bin or /sbin because whois is part of the standard unix/linux networking command set and has been for decades.

              I suggest you check your information, it hasn't been included in the standard install for many distributions for years.

              1. Anonymous Coward
                Anonymous Coward

                "I suggest you check your information, it hasn't been included in the standard install for many distributions for years."

                Bollocks.

            2. Brewster's Angle Grinder Silver badge

              "suggest you check your $PATH for /usr/bin or /sbin because whois is part of the standard unix/linux networking command set and has been for decades."

              The program 'whois' is currently not installed. You can install it by typing:

              sudo apt-get install whois

              1. Anonymous Coward
                Anonymous Coward

                "The program 'whois' is currently not installed. You can install it by typing:"

                What fucked up distro do you use? Does it not have ping or traceroute or ssh installed either?

                1. Alister

                  What fucked up distro do you use? Does it not have ping or traceroute or ssh installed either?

                  From my own experience, none of the following have the full set of network tools installed by default:

                  Redhat, Centos, Ubuntu, Debian (and its offshoots, like Mint).

                  They do have ping, and ssh, but not traceroute, whois, dig etc.

  6. Dr Paul Taylor
    Flame

    This is why

    I don't have a "smart"phone.

    1. a_yank_lurker

      Re: This is why

      And if you have one, limit what activities you use for. No banking, purchases, financial information on it. If Android, have a phone only email distinct from your main email.

      1. Pangasinan

        Re: This is why

        I never use my phone for money transactions.

        My passwords for banking are on home PC and that's where they stay.

        1. Charles 9

          Re: This is why

          Ever thought your PC could be owned without you knowing it? In that light, a phone's no worse than the PC especially if you don't store the passwords.

    2. Whitter
      Unhappy

      A dumb smartphone

      First the marketers came with their intrusive band-hogging ads.

      Then the governments with their hoovers.

      So now it only gets used for texts, phone calls and browsing news-pages/forums, all of which can be done on landfill android.

      So why pay for anything else?

  7. Anonymous Coward
    Anonymous Coward

    And that makes a difference how?

    According to Adups, the software featured on the phone tested by Kryptowire was not intended to be included on phones in the United States market

    It was only for the rest of the planet, so that's OK then. Honestly...

    1. John Smith 19 Gold badge
      Gimp

      "not intended to be included on phones in the United States market"

      No.

      They have a special version for Americans.

      USG authorized.

    2. Just Enough
      Mushroom

      Re: And that makes a difference how?

      My immediate thought too.

      "...is contained on over 700 million phones worldwide, including phones available in the United States."

      "worldwide"? Meh. That's too bad. Good job the US is not part of the wide world.

      "including phones in the United States"? Now wait a minute!! Are you kidding me?? A line has been crossed!

  8. goldcd

    I don't see espionage

    just good old-fashioned capitalism at work.

    If you find yourself with an OS you haven't paid for - you should maybe question why it was free.

    I'm a long-term Android user, and as such have accepted that I'm being subsidised by Google, and I'm OK with this. I benefit from the data-mining. Really quite nifty to be able to shout at my daydream headset to "show my photos of San Francisco" and see my geo-tagged holiday from 5 years ago, or slightly more disturbingly "show me pictures of Percy" and see pictures of my black moggy... actually I'm still bemused how they do this.. but impressive none the less.

    Where I have concerns is where this information spreads beyond google. Not that I trust them, but I get a benefit and know they'll be sued to oblivion if they say record & publicly post my incognito browsing history.

    Once you start using a third-party-rolling of AOSP, then well you might save a few quid upfront, but be careful..

    1. Mark 110

      Re: I don't see espionage

      You have paid for it. The OEMs pay Google. You pay the OEM.

    2. Sorry that handle is already taken. Silver badge

      Re: I don't see espionage

      I certainly paid money for the phone!

    3. Anonymous Coward
      Anonymous Coward

      Re: I don't see espionage

      If you really believe that a Chinese company would have the balls to lo-jack the firmware of allegedly 700 million devices without express authorisation of the Chinese government then you my friend, don't know nuthin bout China. You would hang for that. It's not advertising data, its surveillance data.

    4. Destroy All Monsters Silver badge
      Gimp

      Re: I don't see espionage

      just good old-fashioned capitalism at work.

      Only if the customer doesn't care. Honest-to-God "Capitalism" is, after all, about selling stuff that the customer actually wants to pay for. (as opposed to the new model Corporatism : An Unholy Cancerous Fusion of Corporations with Government / Central Bank / Wall Street where everyone sucks each other's dick till the music stops due to lack of resources to prey on)

      If you find yourself with an OS you haven't paid for - you should maybe question why it was free.

      What does Windows 10 have to do with this?

      1. sabroni Silver badge

        Re: What does Windows 10 have to do with this?

        They both suck all your personal data.

    5. Mystic Megabyte

      Re: I don't see espionage

      "or slightly more disturbingly "show me pictures of Percy" and see pictures of my black moggy."

      I searched for photos of Percy and got *very* different result! :)

      1. Anonymous Coward
        Anonymous Coward

        Re: I don't see espionage

        I assume 'black moggie' is a euphemism.

        Sorry if I've just triggered you, left wing snowflake liberals. It's been a hard few months for you, I know.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sorry if I've just triggered you, left wing snowflake liberals

          Real men are bigots. It takes balls to pick on people who've got fuck all.

        2. smartypants

          Liberals and...

          It's not about left versus right. It's about stupid versus not stupid.

          You can tell which side you're on by asking whether your views stand up to reasoned argument, or whether you feel the need to hide behind AC in case someone you know finds out.

        3. John Brown (no body) Silver badge

          Re: I don't see espionage

          "I assume 'black moggie' is a euphemism."

          No, it's either a cat or a Morris Minor. My money's on it being his pet cat.

          And he wrote "moggy", not "moggie"

        4. Anonymous Coward
          Anonymous Coward

          Re: I don't see espionage

          Moggie is UK slang for cat. A black moggie is a black cat.

      2. Anonymous Coward
        Anonymous Coward

        Re: I don't see espionage

        Mystic Megabyte,

        That was because he found his 'Percy' not yours. (Fnar Fnar !!!)

        [For the older generation 'Oh Missus' in your best Frankie Howerd voice :) ]

    6. ecofeco Silver badge

      Re: I don't see espionage

      just good old-fashioned capitalism at work.

      If by that you mean screwing the customer, then yes, that's exactly what's at work.

    7. Natalie Gritpants

      I just tried "Show pictures of me Percy"

      and got quite a surprise. Well done Google. Some of those photos weren't even taken by me and I can't remember it happening but hey, the camera never lies.

      1. Unbelievable!

        Re: I just tried "Show pictures of me Percy"

        i dont understand? can you explain please?

    8. Doctor Syntax Silver badge

      Re: I don't see espionage

      "show me pictures of Percy" and see pictures of my black moggy

      It doesn't do slang, then.

  9. GrapeBunch

    Confused

    Teenage hackers go to jail for far less. Why is this systematic theft merely a curiosity?

    1. Destroy All Monsters Silver badge

      Re: Confused

      Let's talk about Kim Kardashian and the latest gossip on Trump.

    2. Charles 9

      Re: Confused

      Probably because it has the tacit consent of the State: IOW, sovereign approval which means little to stop it.

  10. Anonymous Coward
    Big Brother

    Provider of firmware over the air

    "Adups .. is a leading global FOTA (Firmware Over The Air) provider of end-to-end device management and software solutions to leading firms that rely on fast, secure, robust connected services around the world."

    There's the problem, if your firmware can be remotely updated then all claims of secure connected services are totally bogus.

    1. Destroy All Monsters Silver badge

      Re: Provider of firmware over the air

      Explain!

      1. Terry Cloth
        Black Helicopters

        Explain!?

        Ummm... Things may be as promised at the time you buy this little wonder. After the first update, all bets are off?

        1. Destroy All Monsters Silver badge

          Re: Explain!?

          That problem seems insurmountable.

          It's all about trust, really (and a bit of electronic signatures, but mainly trust).

    2. Charles 9

      Re: Provider of firmware over the air

      If you can't trust a stock device to be secure, nor can you trust an update, you're basically saying it's impossible to have a secure device and that we should go all Luddite.

      1. ecofeco Silver badge

        Re: Provider of firmware over the air

        In case you haven't been keeping up, it is not technically impossible to have a secure device, just impossible market wise.

        Shareholders profits are paramount, therefore, no, no device is ever going to be secure for the foreseeable future.

      2. Yesnomaybe

        Re: Luddite

        Knowing a bit about computers and phones and that, it IS tempting to go "Full Luddite". Comes down to a compromise as always. I don't do internet banking. I don't buy things using my phone (Android). When I buy things online, I use PayPal or a credit-card. Am I safe? No, of-course not. But I am hopefully safe enough that slower pray will be taken before me. So more of a "Soft Luddite" for me.

        1. Charles 9

          Re: Luddite

          Then you're still very, VERY vulnerable since in this day and age any attacker can probably seek out hundreds if not thousands of victims at once, and even if it takes time, some are out there for the challenge so will see your hardened defenses as a bullseye.

          IOW, you're gonna have to go FULL Luddite or you might as well not go at all for what difference it'll make. Unless you have an actual brick & mortar bank you can reach at any time (because otherwise you could be in trouble if you need to make a spot transfer to finish your purchase), unless you do ALL your shopping physically (which means you're out of luck with a lot of stuff that's ONLY available online, such as lots of repair parts and replacement components), then odds are you're vulnerable, if not by your phone, then by your PC which could very well be pwned without your knowledge.

    3. GrapeBunch

      Re: Provider of firmware over the air

      Firmware over the air. Electric "smart meters". Either the firmware is fixed, and therefore forever hackable by all exploits. Or the firmware can be upgraded over the air, in which case somebody can reverse-engineer the upgrading process and install JoungSploder TM firmware. Or the utility company will send out a million little men with a screwdriver and a box full of ROMs. Ha ha.

  11. Anonymous Coward
    Anonymous Coward

    How do we stop it?

    How would your average Jane Q. Public be able to block such capabilities from phoning home in the first place, &/or remove such programs/capabilities entirely?

    If essentially every Android phone we might touch is thus affected then I refuse to touch any of them at all. If I'm concerned that an ATM has a skimmer attached then I'm not about to slide my debit card through it, so if I'm concerned a phone is sending all my data to some other entity then I'll not use it either for the exact same reason.

    So how can we stop it from working &/or rip it out entirely, thus rendering such devices as safe as they can be called given that they're being data-mined by Google?

    1. Charles 9

      Re: How do we stop it?

      You can't. Some of this stuff can be on feature phones, too, so no escape there. ATM OS'S can be secretly compromised, too, and you can be recorded by hidden cameras. What now?

      1. Anonymous Coward
        Anonymous Coward

        Re: How do we stop it?

        >What now?

        Don't use banks, keep money under mattress and have plenty of guns, obvs.

        /sarcasm

        1. Anonymous Coward
          Anonymous Coward

          Re: How do we stop it?

          Not money. Ask India. Something tangible and with intrinsic value. Like gold or perhaps books on how to survive with no electricity or running water.

          1. DainB Bronze badge

            Re: How do we stop it?

            So that'd be a book how to survive in India ? Must not be that hard if 1.2 beeeelion people manage do it every day.

            1. John Brown (no body) Silver badge

              Re: How do we stop it?

              "So that'd be a book how to survive in India ? Must not be that hard if 1.2 beeeelion people manage do it every day."

              He may have been alluding to the news story of the last few days where the Indian govt. banned the 500 and 100 Rupee notes overnight. That;s 85% of the in circulation paper currency, banks don't have enough stocks of other currency to exchange them, and FFS, it's pretty much the same, by value, as the UK Govt. banning £5 and £10 notes overnight. Although unlike the UK, India is very much a cash economy, which is the reason for the action. Most of the transactions aren't being declared and hence taxed.

              There's even been stories (not sure if verified) of some people burning the notes rather than end up being taxed/fined on the transactions, apparently provable by some people having sacks of cash far in excess of the value of their declared taxable income.

              1. Charles 9

                Re: How do we stop it?

                Precisely. The Indian government is trying to rein in undeclared ("black") money so as to raise necessary tax revenues and hold the rich more accountable. And many are considering the move extremely audacious, particularly in light of Indian society being very "gossipy": being able to hide this move until past the point of no return in such a "gossipy" society is considered quite the coup.

                Thing is, currency is only as good as the government that backs it. If the government disappears (like in Confederate money) or in this case withdraws its legality (the Indian case), or if hyperinflation whittles your cash value to less than the paper on which it was printed (German currency just before the rise of Hitler)...

  12. Destroy All Monsters Silver badge

    So....

    .... that Lenovo Superfish thing.

    Yeah....

    Maybe more devices need scrutiny. China wants to win too hard.

  13. Anonymous Coward
    Anonymous Coward

    Built into the firmware?

    Given how rare OS updates are for Android phones, what are the odds that any phone with this backdoored firmware ever gets a firmware update to remove it?

    1. Barry Rueger

      Re: Built into the firmware?

      I can't imagine why the previous comment was down voted.

      That was my immediate thought - most carriers will go to any lengths to avoid passing on OTA updates, and most users don't realize the hazard.

      A patch is completely worthless if you can't get it on to your device.

  14. Anonymous Coward
    Anonymous Coward

    Skeptical

    "Although Shanghai Adups is not affiliated with the Chinese government"

    Oh, really? Do any companies in China really have a choice?

  15. This post has been deleted by its author

    1. Planty Bronze badge

      Re: Nail in coffin for Android???

      Errm no, its nothing to do with Android. Even an idiot should be able to work that out.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nail in coffin for Android???

        "Errm no, its nothing to do with Android"

        It's everything to do with Android. You can't trust Android firmware, and it likely won't ever be properly patched / updated.

        1. Charles 9

          Re: Nail in coffin for Android???

          "It's everything to do with Android. You can't trust Android firmware, and it likely won't ever be properly patched / updated."

          If you can't trust Android firmware, then you can't trust ANY firmware, for that matter, since where's the money in a one-and-done?

        2. Mark 110

          Re: Nail in coffin for Android???

          Isn't this the device firmware rather than Android. Its not accessing data within Android - its the device and SIM information its accessing.

  16. Anonymous Coward
    Big Brother

    Nice surveillance racket you got there China

    Wouldn't it be a damn shame if someone were to use it as a pretext -- er, excuse -- I mean, reason -- to start a TRADE WAR and ruin it all for you....

    1. Charles 9

      Re: Nice surveillance racket you got there China

      Ever thought China would WELCOME a trade war? There's very little China needs that they can't provide for themselves. They're pretty much the closest in the world to self-sufficient.

      1. Anonymous Coward
        Anonymous Coward

        Re: Nice surveillance racket you got there China

        China really needs to export to sustain its economy, the internal market won't be enough. And it needs foreign money to buy all the resources Yuan wouldn't buy. China is far from being even close to be self-sufficient. Just think how much unemployment and related issues a collapse of export may lead to...

        1. Charles 9

          Re: Nice surveillance racket you got there China

          "China really needs to export to sustain its economy, the internal market won't be enough. And it needs foreign money to buy all the resources Yuan wouldn't buy. China is far from being even close to be self-sufficient. Just think how much unemployment and related issues a collapse of export may lead to..."

          China also knows export economies can't last forever. They DO need to turn inward, and if they need something they don't have right now, recall they have a massive surplus of MEN around. At this juncture, war with the neighbors could be a win-win for them. After all, who's going to stop them when America's too far away and they have nukes and a willingness to go MAD if all else fails?

      2. Anonymous Coward
        Anonymous Coward

        Re: Nice surveillance racket you got there China

        "There's very little China needs that they can't provide for themselves. They're pretty much the closest in the world to self-sufficient."

        I think the US is closer to being self-sufficient in the two areas that really count: food and energy.

        China has to import food because they don't currently produce enough to feed their population.

        That is a turn-around from their situation 10 -15 years ago, and it could change. But most likely that will be that food imports continue to rise. Depending on how much you import, even a short interruption can have an immediate effect - people can go hungry or starve.

        China also has to import about 7 million barrels of oil a day to keep the wheels turning and the factories running - I don't see them becoming self-sufficient there any time soon.

        1. Charles 9

          Re: Nice surveillance racket you got there China

          "China has to import food because they don't currently produce enough to feed their population.

          That is a turn-around from their situation 10 -15 years ago, and it could change. But most likely that will be that food imports continue to rise."

          They've got tons of arable land, and they WERE net-positive not that long ago, meaning they have the means to turn this around, probably by reducing their population in various ways.

          "China also has to import about 7 million barrels of oil a day to keep the wheels turning and the factories running - I don't see them becoming self-sufficient there any time soon."

          Haven't you heard their rush to build windmills and nuclear reactors? Sounds like they're already working on the problem.

          1. Anonymous Coward
            Anonymous Coward

            Re: Nice surveillance racket you got there China

            "They've got tons of arable land, and they WERE net-positive not that long ago, meaning they have the means to turn this around, probably by reducing their population in various ways."

            "Haven't you heard their rush to build windmills and nuclear reactors? Sounds like they're already working on the problem."

            Well, we were talking specifically in terms of a Trade War and if those food and oil imports stop flowing in - you'll feel the effects pretty quickly.

            1. Charles 9

              Re: Nice surveillance racket you got there China

              But not quickly enough. China is overpopulated; they'd probably be willing to let a few million die to play the long game since it would kill two birds with one stone. No one's stupid enough to try a mass uprising, not after Tienanmen Square.

              Here, take a look at this. China will take short-term hurt for long-term gain since they could stand shedding some load. A trade war would benefit China long-term, and we know they already have plenty of untapped resources. All they need is a reason to tap into them again.

  17. Christian Berger

    Therefore it is vital to be able to root your phone

    ...so you can install iptables and make sure it'll be harder for it to communicate to anybody else than your server.

    1. Charles 9

      Re: Therefore it is vital to be able to root your phone

      But rooting means male are can take over the root, not only undoing your work but also preventing you from fixing it by using a signature check. Why do you think apps are increasingly root-aware?

      1. Christian Berger

        Re: Therefore it is vital to be able to root your phone

        They are root-aware as some dimwits believe that the security model of Android is worth more than the storage its documentation takes.

        Since malware typically is shipped by the manufacturer and you can avoid installing malware via the crap-store, rooting is a sensible way to have a minimum level of security.

        1. Charles 9

          Re: Therefore it is vital to be able to root your phone

          No, they are root-aware because they can't trust the operating environment if root exists, as root can blind practically every other sense available to them unless you're like Google and can employ an extra set of "eyes" to double-check (like they do with Android Pay).

          And no, not all malwares are built-in or come with an app. If Stagefright is any indication, they can be done from without as well using a drive-by exploit or other basic attack.

  18. ecofeco Silver badge

    Oh for cryin out loud

    :headbangwall:

    "Let's outsource our mfg to China, they said. What could wrong they said. Shareholders rule, they said."

    In the immortals words of Leslie Winkle from Big Bang Theory, "Dumbass."

  19. Danny 5

    I'm so surprized!

    No, no I'm not.

  20. Diginerd

    Open tickets with your Cellphone provider...

    Ask them about the firmware and ask them to block the domains and IPs involved.

    As an individual you likely won't get far, but if you run an enterprise account (Pretty sure more than one El Reg Comments reader does!) you might get some traction if more than a couple of folks make noise.

    While we're at it, put 127.0.0.1 entries for the bogus domains and null route the parent IP ranges at the edge of the corporate network.

    Sure, the above is not going to be close to 100% effective, but worth the effort to reduce the attack surface here.

    /playing whackamole

  21. Anonymous Coward
    Anonymous Coward

    Smell something???

    I smell horseshit. (Deliberate or accidental typo

    "The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide,"

    Think about that, let it sink in and then question the rest of the article, misleading clickbait like ”Security researchers have uncovered a secret backdoor in Android phones"

    (Nothing to do with Android all, other than its the OS above the firmware in question)

  22. Anonymous Coward
    Unhappy

    the discovery of the firmware is being taken very seriously by US government officials

    who are frantically working out how to intercept this data.

    1. Diginerd

      Re: the discovery of the firmware is being taken very seriously by US government officials

      It's not that hard... See above + a working knowledge of "Old News" about capability ;-)

  23. Anonymous Coward
    Anonymous Coward

    119.81.164.166, 216.58.201.110

    Anybody familiar with those?

    PS: Do not bother telling me what they resolve to or where those are located, I can also do host, whois, and traceroute. The question is why does the Android System user try to talk to them.

  24. Unicornpiss
    Happy

    DDOS target?

    I think a continual denial of service attack to the China servers might be called for...

    1. Anonymous Coward
      Anonymous Coward

      Re: DDOS target?

      They probably have state backing, and remember China is infamous for its Great Firewall, meaning they probably have some oomph under the bonnet.

  25. Dieter Haussmann

    If Hillary won, USA would be militarily attacking China now.

    https://www.youtube.com/watch?v=cB4CZkhkEyQ

    1. Destroy All Monsters Silver badge

      Not before January, and probably a bit later.

  26. This post has been deleted by its author

  27. GrumpyOldMan

    And I constantly get shouted at for mistrusting and refusing to use Android.

  28. spacecadet66

    "According to Adups, the software featured on the phone tested by Kryptowire was not intended to be included on phones in the United States market."

    I mean, who among us can say that they've never accidentally installed spyware on millions of phones bound for pockets and purses in their greatest international rival?

  29. Anonymous Coward
    Anonymous Coward

    the servers are in china

    but i bet the customer's for that data are a lot closer to home.

    CIA/NSA/GCHQ/Five Eyes

  30. TeeCee Gold badge
    Alert

    Shanghai Adups is not affiliated with the Chinese government...

    It's allowed to be a business in China. Ok, I know that there is a fine line between "affiliated with" and "has tongue up arse", but....

  31. Alistair
    FAIL

    And here I was expecting 99 comments to be a detailed technical discussion

    Instead, I end up with a few technical commentaries, and a huge mess of American Politics.

    a) Homo Sapiens.

    period. Melanin not withstanding.

    b) male/female.

    well -- kinda need both in the equation at the moment or Homo Sapiens stops dead.

    c) We all live in our own little fact bubbles. Some of us can see out of them to expand our horizons. Some have set their bubbles to translucent. Sad but true.

    Long and short, from a quick read, this is apparently firmware on a specific list of hardware, not all. I'll be checking the 'droid units around here. Since I've the tools and abilities I'll cap the hostnames and any relevant IPs at the network if I find em. I might even share.

    1. Anonymous Coward
      Anonymous Coward

      Re: And here I was expecting 99 comments to be a detailed technical discussion

      "a) Homo Sapiens.

      period. Melanin not withstanding."

      Would you call cabbage, broccoli, kale, cauliflower, savoy, Brussels sprouts, kai-lan, and Jersey cabbage different vegetables? Well, they're ALL from the same species: brassica oleracea. So distinctive (perhaps even genetically-significant) variation within a species is quite possible.

      So not so period.

    2. Anonymous Coward
      Anonymous Coward

      Re: And here I was expecting 99 comments to be a detailed technical discussion

      > Instead, I end up with a few technical commentaries

      Indeed. Very disappointing.

    3. Diginerd

      Re: And here I was expecting 99 comments to be a detailed technical discussion

      Please do! Likewise here if anything is seen.

      Anyone else feeling like chipping in too would be appreciated.

      Spirit of cooperation in a comment thread? Here's hoping.

  32. Daruka

    I am glad its China hacking me and not the Useless Snakes or Slimey Limeys of the UK

    1. anonymous boring coward Silver badge

      "I am glad its China hacking me and not the Useless Snakes or Slimey Limeys of the UK"

      Are you really?

  33. Anonymous Coward
    Anonymous Coward

    My Doogee phone has this and I've added all the addresses/IP to NoRoot firewall as a precaution. If anyone in China is looking at the phone data from mine they'll discover that I play Angry Birds a fair bit get SMS from Three about my low amount of credit and no emails.

    1. Anonymous Coward
      Anonymous Coward

      Since the spyware is a system app, there's a chance it's also been configured to ignore VPNs, thus defeating a no-root firewall (where the VPN is your only possible angle). It may even be able to ignore HOSTS files if it can go straight to the socket.

      The best option would be to flash a new ROM onto the phone, one with the stuff completely removed, but support for these kinds of phones tend to be sketchy in the modding communities. I have one such device at the moment (a throwaway I got in Asia, currently without a battery), and while I could root it, I could do nothing about the telemetry stuff even with root.

  34. C.Carr

    "Security researchers have uncovered a secret backdoor in Android phones ..."

    *Some* Android phones. A relatively small number.

    The way it's phrased makes it sound like there's a backdoor *in Android*. Were you trying to be misleading in that paragraph, or are you dense?

  35. anonymous boring coward Silver badge

    Jesus &^*&%$%$^ Christ!

    Well, that should help sell iPhones if Samsung "camp fire phone" didn't before.

  36. stringyfloppy

    Which Is It?

    The articles states:

    "Adups has not published a list of the phones its software is included in, although it is known to provide its software to the two large Chinese phone manufacturers Huawei and ZTE."

    Then a Huawei spokesperson states:

    "The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them."

    Which is it? Register, what do you mean when you say "it is known to provide its software to the two large Chinese phone manufacturers Huawei and ZTE?" What's the source for that?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like