Chinese mobile firmware maker Shanghai Adups Technology has been found sending full text messages to China via an alleged backdoor, according to security researchers. The company is known to provide software to two of the largest Chinese manufacturers, ZTE and Huawai.
The company says its code runs on over 700 million devices, from phones to cars and smart devices, and one US phone manufacturer stated that 120,000 of its devices have been affected by the issue. Blue Products said it fixed the issue, and Adups has said it was simply a feature designed to weed out spam messages and calls.
“No information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others,” said Adups in a statement. “Any such information received from a Blu phone during that short period was deleted.”
Besides text messages, Adups said its firmware also collects device model information, its status and application information, to guarantee that updates are accurately delivered to individual devices. However, it assured that it uses encryption to guarantee that all information is safe from attackers and none of it is shared with third parties.
“Adups utilizes https in the transmitting process and uses multiple encryption to ensure data safety. Since its founding, Adups FOTA has taken customer and user privacy very seriously,” said Adups. “No information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others.”
While security researchers have argued that firmware distribution companies usually reveal these types of activities using disclosures, this didn’t seem to be the case here. The findings have been filed with the US government, and the Department of Homeland Security is looking into it, according to Marsha Catron, DHS spokeswoman.