Phone firmware maker denies handing text message data to Beijing

Chinese cloud firmware company Shanghai Adups Technology has released a statement refuting reports that it is collecting text message data and sending it back to the Chinese government, saying it was simply using the information to filter out junk texts and calls for users through a piece of software included by accident on low-end Blu smartphones.

See: Low-cost Android phones are secretly sending your messages and contacts to China

According to Adups, which produces firmware over-the-air (FOTA) updates, other clients had asked it to provide a method for flagging junk texts and calls to improve user experience. It does so by collecting messages to assess via language whether they are junk by using back-end aggregated data analysis and cross-referencing with a user's contact list.

It also collates information about devices to decide when to deploy FOTA updates.

"To ensure Adups is providing the correct updates and services, we collect model information, device status, application information, bin/xbin information, and summary information from phones and messages, and utilize the information to verify that the appropriate updates and services are sent to the correct devices," the company said in a statement.

"Adups utilizes https in the transmitting process and uses multiple encryption to ensure data safety. Since its founding, Adups FOTA has taken customer and user privacy very seriously."

In June, Adups said some Blu smartphones included a version of its FOTA application that "inadvertently" contained the junk flagging functionality.

Adups said it disabled the functionality across all Blu devices as soon as it became aware of the objections.

"No information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others," Adups said.

"Any such information received from a Blu phone during that short period was deleted."

Adups is also working alongside Google and Blu to ensure that its flagging of junk texts and calls does not inadvertently occur on updated versions of the FOTA across any Blu devices. The phones have since passed the Kryptowire test, Adups added.

"Adups has been working to further improve the privacy protections in its products. Adups sincerely apologizes to its partners and users," it concluded.

"We will enhance process management and work to improve transparency, and deliver high-quality products and best service to provide the best possible data security for all our customers."

Adups' statement came in response to a report by The New York Times on Tuesday saying that Adups smartphones came with a "secret feature: a backdoor that sends all your text messages to China every 72 hours".

According to the NYT report, the United States government said it was not sure whether the breach of privacy, which affected around 120,000 Blu phones, constituted Chinese government data mining for intelligence purposes, although a lawyer for Adups told the publication that the company is not affiliated with the Chinese government.

Kryptowire, which found the issue, published its findings after notifying the US government on Tuesday.

"Kryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD," Kryptowire said.

"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI), and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

"The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology."