company

Android spyware secretly collecting user data was found preinstalled on a budget smartphone sold through various retailers and although the company responsible claimed it was standard data collection, one expert said this software went overboard.

Researchers at Kryptowire, a mobile security firm jumpstarted by the Defense Advanced Research Projects Agency and the Department of Homeland Security, based in Fairfax, Va., said they first came across the mobile spyware on a $ 59 BLU R1 HD smartphone bought from Amazon. The Android spyware "collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent" under the guise of offering better spam filtering.

"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. The firmware could target specific users and text messages matching remotely defined keywords," Kryptowire wrote in a blog post. "The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity there are less invasive ways to provide spam filtering.

"Filtering out spam messages and calls is a nice to have feature, but there are other technical approaches towards doing it besides forwarding full text messages and contact details, infringing on users privacy," Arsene said. "That's why metadata and message fingerprinting technologies exist, so that users' personal data is never sent as-it-is, protecting their privacy."

The company behind this firmware and to whom the user data was sent was Shanghai ADUPS Technology Co. Ltd., commonly known as ADUPS, which provides professional firmware over-the-air (FOTA) update services for smartphones. According to the ADUPS website, the company has 700 million active users wordwide.

ADUPS said BLU objected to the Android spyware collecting data without user consent in June 2016 and "ADUPS took immediate measures to disable that functionality on BLU phones." There was no comment on the use of this firmware on other Android devices, but ADUPS assured customers that "no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a BLU phone during that short period was deleted."

Arsene said the speed of the fix was commendable.

"From a technical perspective, declaring to have disabled the feature and removed all collected data in such a short time is commendable," Arsene said. "This means they knew what the problem was and how to quickly fix it."

ADUPS said in a statement that it takes "user privacy very seriously" and claimed the software in question was designed to help eliminate spam.

"In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution for ADUPS FOTA application," ADUPS wrote in a blog post. "The customized version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience. ADUPS FOTA application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."

Arsene said data collection in general is not uncommon and can help to accurately deliver updates to specific devices in case security issues arise."

"However, users should always be notified when such information is being collected, as some might want to opt out and dismiss such features," Arsene said. "It's mandatory for any software provider to inform its customers in regards to what type if information they're collecting -- whether for marketing, commercial or for offering various functionalities. The fact that such a disclaimer was missing is a big deal as it borders [on] espionage malware practices."

Next Steps

Learn more about China targeting Hong Kong protestors with Android spyware.

Find out about Android spyware possibly linked to the Hacking Team.

Get info on the danger of dormant Android permissions. 


SearchSecurity: Security Wire Daily News

If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.

ClixSense

The company behind the popular Paid To Click site has been breached, the site (Clixsense.com) made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.

The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.

The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.

Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.

It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.

They have released a sample of the stolen data, containing that of early users, as proof.

Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.

Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $ 0.00.”

After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”

Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.

But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.


Help Net Security