The Rootkit Of All Evil – CIQ

We may earn a commission for purchases made using our links.

And the spy and invasion of privacy saga continues, but this time XDA Recognized Developer TrevE seems to have hit the very core of most of what is happening with devices. You may recall from a few articles back that we started talking about something called CIQ or Carrier iQ. This is, essentially, a piece of software that is embedded into most mobile devices, not just Android but Nokia, Blackberry, and likely many more. According to TrevE, the software is installed as a rootkit software in the RAM of devices where it resides. This software basically is completely hidden from view and in it virtually invisible, and worst of all, rather complicated to kill (some devices more so than others and you will see why in a few minutes). This is given root like rights over the device, which means that it can do everything it pleases and you will have nothing to say about it.

Why do we go into this? Well, a while back I was having some conversations back and forth with TrevE regarding all the HTC’s PoCs that he has been working on, and he started wondering about CIQ, as according to him, was one of the worst things that he had found in HTC’s code. So, he decided to start digging a little into this and found out that there is much more to be said regarding this software than even manufacturers will dare say. It turns out that CIQ is not exactly what many people don’t see (as it is hidden), but it is rather a very useful tool for system and network administrators. The tools is used to provide feedback and relevant data on several metrics that can help one of the aforementioned admins to troubleshoot and improve system and network performance. Point and case, the app seems to run in such a way that it allows the user to provide the input needed via surveys and other things. To put things in a more visual way, this is what CIQ should look like

And here is what CIQ actually looks like both in Samsung and HTC devices respectively

See the difference? Oh, and in case you are wondering, the first image is from a “virgin” copy of CIQ. Our beloved dev found a pristine copy of this along with a ton of information, including training videos, guides, and a whole bunch of material that will essentially make your hair stand straight up. There far more than just cosmetic changes in the versions above. The menus and surveys are completely stripped out in the HTC version and partially in the Samsung one, making it impossible to understand unless you truly know what you are looking at. For instance, the so called option to opt out of this is not present either at all in HTC devices and it is very difficult to turn off in Samsung devices. On top of that, you can see some events or triggers that will basically allow this app to collect data (thanks XDA Recognized Developer k0nane for your work on Samsung devices)

Known triggers found on HTC Phones: Key in HTCDialer Pressed or Keyboard Keys pressed:

Intent – com.htc.android.iqagent.action.ui01 App Opened –

Intent – com.htc.android.iqagent. action.ui15



Sms Received –

Intent – com.htc.android.iqagent. action.smsnotify



Screen Off/On –

Intent – com.htc.android.iqagent. action.ui02



Call Received –

Intent – com.htc.android.iqagent. action.ui15



Media Statistics –

Intent – com.htc.android.iqagent. action.mp03



Location Statistics –

Intent – com.htc.android.iqagent. action.lc30 Known Samsung triggers provided by provided by XDA member k0nane UI01: screen tapped in any location, or InputMethod (any soft keyboard) key pressed. NT10: HTTP request read. NT0F: HTTP request send. UI11: unknown, located in the View class, which has its own IQClientThreadRunnable subclass. AL34: loading started in a browser frame – URL. AL35: loading started in a browser frame – data receive begin and end, page render begin and end. AL36: data length.

(The above two are also found in LoadListener and WebViewCore classes. Web metrics are not found on the Skyrocket, but are on the Epic 4G and Epic 4G Touch.) HW03: battery status changed. (Also not found on Skyrocket.)

Want more? The kind of “metrics” or data that this app can collect. In the original version of the app, the app is set to collect things such as network status, equipment ID and manufacturer, and much more. All this data is then pushed to a “portal” where the administrator can see, filter, accommodate, and virtually arrange all the metrics reported by the app in any way he/she sees fit. What is more, according to some of the training documents, CIQ can virtually consider anything as a metric, and record it. For instance (great example by TrevE), lets say a network admin is recording data for people with dropped calls in California at 5 pm. Because of all the metrics that could be obtained via the different triggers, that same network admin will not just know that you got a dropped call at 5 pm in California, but he/she will also know where in California you were located, what you were doing with your phone at that given time, how many times you accessed your apps until that time, and even what you have typed in your device (no, this last one is not an exaggeration, this thing can act as a key logger as well). Scared already? If not, here is a snippet of some of the metrics that this thing can gather

Since we have already presented enough facts, let us dive straight into the core of the issue. We have no voice at all on this issue. There is little that we can do about this data being collected without us rooting the device and breaking the warranties on them (not that we usually care about doing this anyways). But the problem is that all this data, all this information about you, how you use your device, your every day activities, everything you do with your device is logged and sold. Not too long ago, Verizon came forth (probably as they saw this coming) and decided to provide its customers with the option to opt out of this activity. Basically, preventing Big Red from selling your data (but not from collecting it). Sprint, on the other hand, has gone as far as denying its existence at one point. Now, we know that this is all part of the contract that you go into when you buy a phone from them, right? Wrong! According to Sprint, even if you were to buy a device straight out of eBay and have no service on Sprint (use it as a Wifi media player if you will), Sprint can still collect this data from you. You are bound and chained with them, even if you never planned on doing this.

Another point is the legality of the issues being raised with the kind of information that they collect. Some data can be meaningful for network performance and even for advertising purposes, but to monitor everything down to what you type, that is a little too much in this writer’s opinion. I mean, what kind of permissible purpose is out there that can allow a company to legally place a key logger on something and use it when you are not even getting service out of them? This is far beyond, at this point, the fact that the data could potentially be accessed, intercepted, or even loop holes being present in the code. This is a matter of our rights to privacy as consumers.

Protecting yourself from unfair practices will likely be frowned upon if you were to call Sprint right now and ask them for a way out. However, TrevE does provide a way to manually remove this stuff from some HTC devices while k0nane provides a full removal toolkit for several Samsung devices . Alternatively, there are custom roms out there that have the CIQ and other “services” removed. Please try those out if you are not too comfortable with manually editing stuff in your device.

This is a clear infringement of consumer rights in down to its core. Not being able to opt out is downright ridiculous and we would like to request that this is fixed in upcoming devices and software updates. Remember, we may not be the vast majority of your users/customers, but unfortunately for you, our communities are the ones who can make your sales efforts into a living nightmare. Consumers are the ultimate key holders and we suggest that you stop looking at us as dollar signs and more like people and customers. All in all, I am not for sale and my privacy is priceless.

You can find more information in the original blog article by TrevE.

Want something published in the Portal? Contact any News Writer.

Thanks TrevE for all your hard work. You rock, man!!!