Sniff sniff
I smell another transgression by the Chinese Government. It would be a breach of civil rights if they had any to begin with...
Security researchers have uncovered a secret backdoor in Android phones that sends almost all personally identifiable information to servers based in China. The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide, including phones available in the …
"I smell another transgression by the Chinese Government."
Sending millions of users' digital family silver to a single well-known server, apparently without certificate pinning? Using plain old DES in the mix? I know one should never underrate the power of human stupidity, but frankly I'd expect Chinese surveillance agencies to make a better job of it. Actually, I think even North-Corea would do a better job these days...
I'm beginning to think that trusting *any* software coming out of China is inadvisable.
It's hard to avoid, since so many computers, phones and other electronics are made there. You have no idea what might be tucked away in UEFI, or the firmware of your hard drive, or your phone's CPU.
I have a sinking feeling that when World War 3 starts, every Chinese-made computer, router, phone, etc. in the west will shut down.
I think this is correct. In fact my guess is that any given Android device is likely to have multiple backdoors and leakers, some government sponsored, some built in by Google from the start, some from chip manufacturers, some from ad/spamware app makers, some from criminal networks - possibly something put there by your spouse and/or your boss as well. Then you have the various wire taps on the mobile network, and on the Internet itself. Remember that Huawei make most of the infrastructure hardware used in UK mobile networks (and most of our home network routers as well), and that Huawei ≈ Chinese govt. Remember that our own government runs (not so secret any more) massive bulk data collection and analysis programmes. I think it's safe to assume that every call you make, every text you send, every HTTP request you make, is seen, logged and analysed by multiple parties, some more benign than others. If you think this sounds overly paranoid then you haven't been paying attention.
And as any Cavendish grower will tell you: a big part of the problem is monoculture.
"I think this is correct. In fact my guess is that any given Android device is likely to have multiple backdoors and leakers, some government sponsored, some built in by Google from the start, some from chip manufacturers, some from ad/spamware app makers, some from criminal networks - possibly something put there by your spouse and/or your boss as well. "
No wonder battery life is so poor on Android phones.
And now Google makes you turn on GPS to get some basic crap working. Let me just enter my location manually FFS! I DON'T WANT 1984 TO ARRIVE YET!
"https://www.apnic.net , put the numbers in the box at the top, press return and all will be revealed."
Its not advisable to take the piss out of other people if you don't even know the simplest solution yourself.
Go to the command line (know what that is?) and type "whois 118.193.254.27".
This post has been deleted by its author
"contractress."
No such word.
I don't think language works how you seem to think it does. (If it did you could have at least constructed a full sentence).
"As I do not know the posters technical ability"
Given they're posting to this site I suspect they're not novices.
Really? REALLY?? You quite often get posters on here who've clearly not even read the article they're commenting on. All you can be sure of is they can possibly manage to use some technical equipment without electrocution; or dictate to their carer.
"Run along now."
You're going to have to work harder at being patronising.
Oh, I dunno; I laughed out loud at that bit. Condescension to a tee. (I believe someone younger than myself might remark that 'you got served').
"I don't think language works how you seem to think it does. (If it did you could have at least constructed a full sentence)."
You can't just make up a word and expect it to suddenly appear in the OED or for others not to pick you up on it.
"Really? REALLY??"
Yes really. You think someone who normally is googling Towie is suddenly going to reply to an article on an exploit in android phones?
"Oh, I dunno; I laughed out loud at that bit. Condescension to a tee. (I believe someone younger than myself might remark that 'you got served')."
If you think thats clever condescension then clearly you've never been on usenet. It would rate a 2/10 at best. The only thing that got served was "her" (I doubt its a she anyway) smart ass on a plate.
REAL* sysadmins do not use the command line. Real sysadmins sense the route taken from the spin of the photons flowing throughthe fibre.
Rosie
*Robotically Enhanced Advanced Lifeforms for those at the back of the class. Yes Smithers, I'm talking to you.
What fucked up distro do you use? Does it not have ping or traceroute or ssh installed either?
From my own experience, none of the following have the full set of network tools installed by default:
Redhat, Centos, Ubuntu, Debian (and its offshoots, like Mint).
They do have ping, and ssh, but not traceroute, whois, dig etc.
My immediate thought too.
"...is contained on over 700 million phones worldwide, including phones available in the United States."
"worldwide"? Meh. That's too bad. Good job the US is not part of the wide world.
"including phones in the United States"? Now wait a minute!! Are you kidding me?? A line has been crossed!
just good old-fashioned capitalism at work.
If you find yourself with an OS you haven't paid for - you should maybe question why it was free.
I'm a long-term Android user, and as such have accepted that I'm being subsidised by Google, and I'm OK with this. I benefit from the data-mining. Really quite nifty to be able to shout at my daydream headset to "show my photos of San Francisco" and see my geo-tagged holiday from 5 years ago, or slightly more disturbingly "show me pictures of Percy" and see pictures of my black moggy... actually I'm still bemused how they do this.. but impressive none the less.
Where I have concerns is where this information spreads beyond google. Not that I trust them, but I get a benefit and know they'll be sued to oblivion if they say record & publicly post my incognito browsing history.
Once you start using a third-party-rolling of AOSP, then well you might save a few quid upfront, but be careful..
If you really believe that a Chinese company would have the balls to lo-jack the firmware of allegedly 700 million devices without express authorisation of the Chinese government then you my friend, don't know nuthin bout China. You would hang for that. It's not advertising data, its surveillance data.
just good old-fashioned capitalism at work.
Only if the customer doesn't care. Honest-to-God "Capitalism" is, after all, about selling stuff that the customer actually wants to pay for. (as opposed to the new model Corporatism : An Unholy Cancerous Fusion of Corporations with Government / Central Bank / Wall Street where everyone sucks each other's dick till the music stops due to lack of resources to prey on)
If you find yourself with an OS you haven't paid for - you should maybe question why it was free.
What does Windows 10 have to do with this?
"Adups .. is a leading global FOTA (Firmware Over The Air) provider of end-to-end device management and software solutions to leading firms that rely on fast, secure, robust connected services around the world."
There's the problem, if your firmware can be remotely updated then all claims of secure connected services are totally bogus.
Knowing a bit about computers and phones and that, it IS tempting to go "Full Luddite". Comes down to a compromise as always. I don't do internet banking. I don't buy things using my phone (Android). When I buy things online, I use PayPal or a credit-card. Am I safe? No, of-course not. But I am hopefully safe enough that slower pray will be taken before me. So more of a "Soft Luddite" for me.
Then you're still very, VERY vulnerable since in this day and age any attacker can probably seek out hundreds if not thousands of victims at once, and even if it takes time, some are out there for the challenge so will see your hardened defenses as a bullseye.
IOW, you're gonna have to go FULL Luddite or you might as well not go at all for what difference it'll make. Unless you have an actual brick & mortar bank you can reach at any time (because otherwise you could be in trouble if you need to make a spot transfer to finish your purchase), unless you do ALL your shopping physically (which means you're out of luck with a lot of stuff that's ONLY available online, such as lots of repair parts and replacement components), then odds are you're vulnerable, if not by your phone, then by your PC which could very well be pwned without your knowledge.
Firmware over the air. Electric "smart meters". Either the firmware is fixed, and therefore forever hackable by all exploits. Or the firmware can be upgraded over the air, in which case somebody can reverse-engineer the upgrading process and install JoungSploder TM firmware. Or the utility company will send out a million little men with a screwdriver and a box full of ROMs. Ha ha.
How would your average Jane Q. Public be able to block such capabilities from phoning home in the first place, &/or remove such programs/capabilities entirely?
If essentially every Android phone we might touch is thus affected then I refuse to touch any of them at all. If I'm concerned that an ATM has a skimmer attached then I'm not about to slide my debit card through it, so if I'm concerned a phone is sending all my data to some other entity then I'll not use it either for the exact same reason.
So how can we stop it from working &/or rip it out entirely, thus rendering such devices as safe as they can be called given that they're being data-mined by Google?
"So that'd be a book how to survive in India ? Must not be that hard if 1.2 beeeelion people manage do it every day."
He may have been alluding to the news story of the last few days where the Indian govt. banned the 500 and 100 Rupee notes overnight. That;s 85% of the in circulation paper currency, banks don't have enough stocks of other currency to exchange them, and FFS, it's pretty much the same, by value, as the UK Govt. banning £5 and £10 notes overnight. Although unlike the UK, India is very much a cash economy, which is the reason for the action. Most of the transactions aren't being declared and hence taxed.
There's even been stories (not sure if verified) of some people burning the notes rather than end up being taxed/fined on the transactions, apparently provable by some people having sacks of cash far in excess of the value of their declared taxable income.
Precisely. The Indian government is trying to rein in undeclared ("black") money so as to raise necessary tax revenues and hold the rich more accountable. And many are considering the move extremely audacious, particularly in light of Indian society being very "gossipy": being able to hide this move until past the point of no return in such a "gossipy" society is considered quite the coup.
Thing is, currency is only as good as the government that backs it. If the government disappears (like in Confederate money) or in this case withdraws its legality (the Indian case), or if hyperinflation whittles your cash value to less than the paper on which it was printed (German currency just before the rise of Hitler)...
I can't imagine why the previous comment was down voted.
That was my immediate thought - most carriers will go to any lengths to avoid passing on OTA updates, and most users don't realize the hazard.
A patch is completely worthless if you can't get it on to your device.
This post has been deleted by its author
"It's everything to do with Android. You can't trust Android firmware, and it likely won't ever be properly patched / updated."
If you can't trust Android firmware, then you can't trust ANY firmware, for that matter, since where's the money in a one-and-done?
China really needs to export to sustain its economy, the internal market won't be enough. And it needs foreign money to buy all the resources Yuan wouldn't buy. China is far from being even close to be self-sufficient. Just think how much unemployment and related issues a collapse of export may lead to...
"China really needs to export to sustain its economy, the internal market won't be enough. And it needs foreign money to buy all the resources Yuan wouldn't buy. China is far from being even close to be self-sufficient. Just think how much unemployment and related issues a collapse of export may lead to..."
China also knows export economies can't last forever. They DO need to turn inward, and if they need something they don't have right now, recall they have a massive surplus of MEN around. At this juncture, war with the neighbors could be a win-win for them. After all, who's going to stop them when America's too far away and they have nukes and a willingness to go MAD if all else fails?
"There's very little China needs that they can't provide for themselves. They're pretty much the closest in the world to self-sufficient."
I think the US is closer to being self-sufficient in the two areas that really count: food and energy.
China has to import food because they don't currently produce enough to feed their population.
That is a turn-around from their situation 10 -15 years ago, and it could change. But most likely that will be that food imports continue to rise. Depending on how much you import, even a short interruption can have an immediate effect - people can go hungry or starve.
China also has to import about 7 million barrels of oil a day to keep the wheels turning and the factories running - I don't see them becoming self-sufficient there any time soon.
"China has to import food because they don't currently produce enough to feed their population.
That is a turn-around from their situation 10 -15 years ago, and it could change. But most likely that will be that food imports continue to rise."
They've got tons of arable land, and they WERE net-positive not that long ago, meaning they have the means to turn this around, probably by reducing their population in various ways.
"China also has to import about 7 million barrels of oil a day to keep the wheels turning and the factories running - I don't see them becoming self-sufficient there any time soon."
Haven't you heard their rush to build windmills and nuclear reactors? Sounds like they're already working on the problem.
"They've got tons of arable land, and they WERE net-positive not that long ago, meaning they have the means to turn this around, probably by reducing their population in various ways."
"Haven't you heard their rush to build windmills and nuclear reactors? Sounds like they're already working on the problem."
Well, we were talking specifically in terms of a Trade War and if those food and oil imports stop flowing in - you'll feel the effects pretty quickly.
But not quickly enough. China is overpopulated; they'd probably be willing to let a few million die to play the long game since it would kill two birds with one stone. No one's stupid enough to try a mass uprising, not after Tienanmen Square.
Here, take a look at this. China will take short-term hurt for long-term gain since they could stand shedding some load. A trade war would benefit China long-term, and we know they already have plenty of untapped resources. All they need is a reason to tap into them again.
They are root-aware as some dimwits believe that the security model of Android is worth more than the storage its documentation takes.
Since malware typically is shipped by the manufacturer and you can avoid installing malware via the crap-store, rooting is a sensible way to have a minimum level of security.
No, they are root-aware because they can't trust the operating environment if root exists, as root can blind practically every other sense available to them unless you're like Google and can employ an extra set of "eyes" to double-check (like they do with Android Pay).
And no, not all malwares are built-in or come with an app. If Stagefright is any indication, they can be done from without as well using a drive-by exploit or other basic attack.
Ask them about the firmware and ask them to block the domains and IPs involved.
As an individual you likely won't get far, but if you run an enterprise account (Pretty sure more than one El Reg Comments reader does!) you might get some traction if more than a couple of folks make noise.
While we're at it, put 127.0.0.1 entries for the bogus domains and null route the parent IP ranges at the edge of the corporate network.
Sure, the above is not going to be close to 100% effective, but worth the effort to reduce the attack surface here.
/playing whackamole
I smell horseshit. (Deliberate or accidental typo
"The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide,"
Think about that, let it sink in and then question the rest of the article, misleading clickbait like ”Security researchers have uncovered a secret backdoor in Android phones"
(Nothing to do with Android all, other than its the OS above the firmware in question)
This post has been deleted by its author
"According to Adups, the software featured on the phone tested by Kryptowire was not intended to be included on phones in the United States market."
I mean, who among us can say that they've never accidentally installed spyware on millions of phones bound for pockets and purses in their greatest international rival?
Instead, I end up with a few technical commentaries, and a huge mess of American Politics.
a) Homo Sapiens.
period. Melanin not withstanding.
b) male/female.
well -- kinda need both in the equation at the moment or Homo Sapiens stops dead.
c) We all live in our own little fact bubbles. Some of us can see out of them to expand our horizons. Some have set their bubbles to translucent. Sad but true.
Long and short, from a quick read, this is apparently firmware on a specific list of hardware, not all. I'll be checking the 'droid units around here. Since I've the tools and abilities I'll cap the hostnames and any relevant IPs at the network if I find em. I might even share.
"a) Homo Sapiens.
period. Melanin not withstanding."
Would you call cabbage, broccoli, kale, cauliflower, savoy, Brussels sprouts, kai-lan, and Jersey cabbage different vegetables? Well, they're ALL from the same species: brassica oleracea. So distinctive (perhaps even genetically-significant) variation within a species is quite possible.
So not so period.
Since the spyware is a system app, there's a chance it's also been configured to ignore VPNs, thus defeating a no-root firewall (where the VPN is your only possible angle). It may even be able to ignore HOSTS files if it can go straight to the socket.
The best option would be to flash a new ROM onto the phone, one with the stuff completely removed, but support for these kinds of phones tend to be sketchy in the modding communities. I have one such device at the moment (a throwaway I got in Asia, currently without a battery), and while I could root it, I could do nothing about the telemetry stuff even with root.
The articles states:
"Adups has not published a list of the phones its software is included in, although it is known to provide its software to the two large Chinese phone manufacturers Huawei and ZTE."
Then a Huawei spokesperson states:
"The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them."
Which is it? Register, what do you mean when you say "it is known to provide its software to the two large Chinese phone manufacturers Huawei and ZTE?" What's the source for that?