Shanghai ADUPS Technology Co., which provides professional Firmware Over-The-Air (FOTA) update services to mobile devices, has been under scrutiny for allegedly sending user information from some U.S. phones to China.
Security contractors have identified several Android mobile devices with pre-installed software collecting personal user data and transmitting them to third-party servers. These include phone contacts, text messages, call history, and location information. All without user disclosure or consent.
According to the U.S.-based cybersecurity firm Kryptowire, which first exposed the spyware, the firmware came pre-installed with mobile devices and subsequent updates allowed remote installation of applications without the knowledge of users. The native nature of the firmware bypasses anti-virus detection due to its presumptive integral function.
A report from The New York Times, however, stated that it is still unclear whether the vulnerability is used for mere marketing related behavior tracking and data mining or a conscious effort of collecting intelligence.
Although admitting to collecting private user information, the Shanghai-based software company told China's state-run media Global Times that the collected information was not disclosed to third-party entities. Moreover, according to Kryptowire, multiple layers of encryption protect the information sent over secure web protocols to a Shanghai server.
In its defense, ADUPS said that the surveillance capability of the software they provided was intended for an unnamed Chinese manufacturer, not on American phones, to help its clients screen out junk messages and calls.
The company also reiterated that phone companies, not ADUPS hold accountability in disclosing privacy policies to users.
ADUPS has since eliminated the said feature and all the information taken from one of its U.S. customers.