Rootkit called Carrier IQ discovered phoning home with user data

Rootkit called Carrier IQ discovered phoning home with user data

Summary: Locationgate is nothing compared to a rootkit that's been discovered pre-installed on potentially millions of Android handsets.

SHARE:
TOPICS: Processors, Hardware, HTC
36

HTC rootkit discovered pre-installed on Android handsets

Remember Locationgate? Well, that might be nothing compared to a rootkit that's been discovered pre-installed on some Android handsets.

[The Locationgate scandal erupted in April 2011 when a hidden file called “consolidated.db” (containing a database of Wi-Fi hotspots and cell towers around your phone's location) was discovered unencrypted in iOS 4.]

Well, at least consolidated.db didn't phone home and report your whereabouts to the mothership -- which is what appears to be happening on millions of Android handsets.

In this video, 25-year-old security researcher Trevor Eckhart of Connecticut shows how two nefarious apps (HTC IQAgent and IQRD) are discovered pre-loaded and running on his HTC smartphone.

Eckhart demonstrates how the surreptitious apps log text messages, encrypted web searches -- and just about everything else -- and send the data to Carrier IQ’s servers.

Worse, Wired reports that the rootkit can't be turned off without rooting the phone and replacing the operating system. "And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ."

Luckily, Logging Checker (main site) is an Android app by TrevE that tests to see if your device is among the afflicted. Here's a screenshot:

logging-checker-by-treve-at-xda

Update: I ran Loggig Checker on my Droid RAZR running on Verizon Wireless and all the tests came up negative. It appears that at least the RAZR on VZW doesn't have it.

Topics: Processors, Hardware, HTC

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion
  • RE: HTC rootkit discovered phoning home with user data

    I use a web-proxy with ZoneAlarm Internet Security and PeerBlock as my Wi-Fi default gateway. That would have caught the rootkit's communications pants down.

    Heh.

    Why don't you also investigate [b]apple ios rootkit[/b] returning 913,000 results?

    [i]~~~~~~~~~~
    Mathematicians stand on each other???s shoulders and computer scientists stand on each other???s toes.
    ~ Richard Hamming[/i]
    WinTard
    • Its not HTC alone, its most CDMA phones and GSM sets to be confirmed.

      Under at least one Wireless provider.<br><br>To see the extend of the damage found by Trevor.. look here:<br><br> <a href="http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/" target="_blank" rel="nofollow">http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/</a> <br><br>and here for the charges made.<br><br> <a href="http://gadgetsteria.com/2011/11/22/carrier-iq-suing-xda-member-who-found-their-spying-software-hiding-on-android-phones/" target="_blank" rel="nofollow">http://gadgetsteria.com/2011/11/22/carrier-iq-suing-xda-member-who-found-their-spying-software-hiding-on-android-phones/</a><br><br>The extent of the privacy breach is considerable as even under a secure webiste (https:) your personal info is transmitted in plain text.<br><br>On HTC Sensatation (GSM bands) QXDM2SD which is suspiciously similar to CIQ even though its been reported to encrypt the SD Card.. seems to be tied to the SYNC Widget with similar traits as IQRD. Will need to investigate.
      Uralbas
    • RE: HTC rootkit discovered phoning home with user data

      @WinTard <br><br>1. I like your Richard Hamming quote. <br>2. Didn't know there was an Apple IOS rootkit, I'll Bing it.<br>3. PeerBlock really needs to step up to running as a service, and IPv6.<br>4. Nice idea with the proxy (honest admiration), but what about your cell provider data?

      My guess for 3, only time and devs, it'll come along. For 4, your method would undoubtedly work with WiFi only, which I'll assume you meant. I was considering others without such an understanding.
      TechNickle
      • RE: HTC rootkit discovered phoning home with user data

        @FuzzyBunnySlippers

        I followed your suggestion and used Bing's search result for apple iOS rootkit. (like you, I had never heard of an Apple iOS rootkit before.)

        Well, Bing returned one search result that reported on a 2008 reported CISCO IOS rootkit proof of concept security breech.

        I wonder if WinTard confused CISCO's IOS (Internetwork Operating System) acronym with Apple's use of the iOS name?
        kenosha77a
    • RE: HTC rootkit discovered phoning home with user data

      @WinTard I followed your suggestion and googled "apple ios rootkit" and came up with 2 different articles that talk about the HTC issue and quite a few that deal with Cisco rootkits... and not one about an Apple iOS rootkit.

      Either post some proof of this alleged rootkit or simply admit you are a troll spreading FUD.
      athynz
      • RE: HTC rootkit discovered phoning home with user data

        @Pete "athynz" Athens

        I have to think that he really knows this, and thought that by using the term "IOS ROOTKIT" might make people think that there are lots of reports about an Apple iPhone rootkit.

        THERE AREN'T.

        In fact, searching for "IOS ROOTKIT" finds articles, of which the vast majority, were written YEARS before the iPhone's introduction.

        IOS, for those who don't know, in this context refers to an operating system by CISCO that runs their networking gear.

        en.wikipedia.org/wiki/Cisco_IOS
        lelandhendrix@...
      • RE: HTC rootkit discovered phoning home with user data

        @Pete "athynz" Athens

        a touchy one you are
        http://www.theregister.co.uk/2011/12/01/ios_has_carrier_iq_client/
        majcm
      • RE: HTC rootkit discovered phoning home with user data

        @majcm

        As you probably are aware of by now, Apple issued a statement that said this "root kit" was not used in iOS 5 or on iPhone 4S models. Apple did state that prior iPhone models did have this software installed but the user could disable it's diagnostic feedback functions. (Although Apple never informed the public just how evasive this "diagnostic software" actually was.) Also, ZDNet has reported that Apple will release, shortly, an iOS update that will remove this code from earlier iPhone models.
        kenosha77a
  • How amusing

    One more reason to avoid the mobile ball and chain. I do wonder if this rootkit stuff is patented.
    ego.sum.stig
    • RE: HTC rootkit discovered phoning home with user data

      @ego.sum.stig@...
      nice try... come to think of it, the patent office should take a look at this thing, and let the trolls cash in !!!
      kc63092@...
  • So prosecute HTC

    You have an app, you didn't give it permission to do that, reading their site shows they're a usage tracking app, that would be illegal, certainly under EU privacy laws (in France it could come under their criminal laws too). I bet there's plenty of laws in the US that HTC are breaking here.

    If you got the phone under contract, the carrier could well be liable too.

    Really if you don't nip this in the bud here and now with a decent multi-billion dollar class action, everyone of the handset makers will start doing this, and every carrier will start doing it. It needs to be stopped here and now.

    Even Google's HTTPS sessions, a move by Google to protect the privacy of its users from third party snooping, they're passing the data over that link too. It's unbelievable that any handset maker would do that.

    ---
    If corporations are people, criminal law should apply to their CEO's.
    guihombre
    • Not Samsung, not Sony Ericsson

      Well I have a few phones, I can't find it on Samsung (Galaxy) or Sony Ericsson (X10 mini) phones, but it doesn't mean that the carriers wouldn't require it in their markets.<br><br>Wired also says that Nokia has been using it. They're definitely liable under European privacy laws.... <br><br>From the companies (Carrier IQ) website for their service logger:<br>"IQ Insight Service Analyzer delivers the next level of visibility into mobile service quality and performance. Based on Carrier IQ's leading Mobile Service Intelligence Platform, IQ Insight Service Analyzer uses data DIRECTLY FROM THE MOBILE PHONE to give a precise view of service performance as experienced by the subscriber of CLEAR INSIGHT into the DETAILED interactions between the service and device."<br><br>Appears they log interactions with the phone systems, all the GSM messages etc.<br><br>From their experience manager:<br>"Identify exactly how your customers interact with services and which ones they use. SEE WHICH CONTENT THEY CONSUME, even offline. Identify problems in service delivery, including the inability to connect to the service at all. This actionable intelligence enables you to focus on critical quality and customer satisfaction issues."<br><br>Wow, it's like they wrote a rootkit and then confessed in nice, easy to understand language, that even a judge can understand. "Here we confess, we snoop on everything, even offline stuff, come raid our offices".

      Incredible.
      guihombre
      • RE: HTC rootkit discovered phoning home with user data

        @guihombre Can't be 100% sure, but it doesn't seem to be on my phone, which is an HTC provided through one of the UK's carriers. Maybe it's only installed for specific geographic markets.
        DJL64
    • RE: HTC rootkit discovered phoning home with user data

      @guihombre
      If corporations are people, criminal law should apply and the corporation should go to jail. Since they are only persons created by law and don't have bodies to incarcerate, maybe the legal penalty should be to cease doing business for the duration of the imposed jail time. Forgetaboutit, that would only happen in a democracy.
      fmlogue
  • RE: HTC rootkit discovered phoning home with user data

    If HTC is the problem, then why does this spyware only appear on phones tied to a carrier contract? Why can the same kit be found on on all phones tied to certain carriers? The source of the problem lies with the market and American consumers who have accepted a carrier monopoly on handsets.
    phel21
  • Its not just HTC - why only trash them?

    If you read the article on the Register the researcher only used HTC to demo the problem.<br><br>
    "Eckhart said he chose the HTC phone purely for demonstration purposes. Blackberrys, other Android-powered handsets, and smartphones from Nokia contain the same snooping software, he claims."
    deaf_e_kate
  • Froze it with Titanium Backup

    My phone is rooted, one reason is so that I can run Titanium Backup. When this first came out, I "froze" HTC IQAgent. I didn't catch that IQRD was part of this too (although the icon is the same) so I just "froze" that as well.
    dougsyo@...
  • RE: HTC rootkit discovered phoning home with user data

    Not on my Verizon HTC Thunderbolt.

    What carriers/phones is this confirmed to be on??? Anyone?
    wendellgee2
    • RE: HTC rootkit discovered phoning home with user data

      @wendellgee@... Yes it is. The nature of a rootkit makes it so that you can't see the software running unless you know the exact calls to make it show itself. Only way to be sure that you're not running this is to have an AOSP based ROM on a rooted device (eg. Cyanogen Mod)
      Crion629
  • Carrier IQ on Samsung, Motorola, etc.

    Why doesn't the article mention that Carrier IQ is also on Android devices from other manufacturers such as Samsung?
    illegaloperation