Written by Chris Bing

More than 700 million Android smartphones, some of which were used in the U.S., carried hidden software that enabled surveillance by tracking user’s movements and communications, a Virginia-based team of security researchers found.

The firmware, discovered by Kryptowire, was reportedly authored by Chinese startup Shanghai Adups Technology Company. It was largely discovered on disposable and prepaid phones made overseas. An undisclosed Chinese manufacturing company is believed to have paid for Adups’ work.

The malicious software was so well hidden that it was nearly impossible to detect, researchers told CyberScoop. It remains unclear whether this backdoor was designed to siphon data as part of an espionage operation or if the perpetrators wanted to indiscriminately collect bulk data for business-related purposes.

“The traffic was encrypted multiple times and the servers that were being used were also part of the firmware checking and updating process,” said Kryptowire Vice President Tom Karygiannis.

“Even if an average user was able to notice the traffic, he/she would not be able to understand what this traffic was about. Given that this same domain was used for firmware updates, it is highly unlikely that the users or an internet provider for that matter, would have recognized the traffic as [personal identifiable information] transmission because it was camouflaged as part of the firmware updating/checking process,” Karygiannis told CyberScoop.

The researchers discovered that Adups’ firmware transmitted data packets to a Chinese server every 72 hours. These packets contained user’s call logs, text messages, contact lists, GPS location and other data.

“The Department of Homeland Security was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies,” said DHS spokesperson Marsha Catron. “We also encourage all Americans to take precautions to ensure the security of their data and personal information, including using strong passwords, maintaining up-to-date antivirus software and minimizing the amount of personal data they share online.”

According to the Chinese startups’ official website, Adups’ clients include two of China’s largest cellphone manufacturers: ZTE and Huawei. BLU Products, an American phone manufacturer, told the New York Times that 120,000 of its phones were affected and that a subsequent software update would eliminate the surveillance feature.

Executives at Adups reportedly assured BLU Products’ CEO Samuel Ohev-Zion that all of the information taken from the Florida-based smartphone provider’s customers had been securely destroyed.

“We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not,” a ZTE spokesperson said.

Though flaws in software are commonly exploited to exfiltrate private information, that isn’t what happened between Adups and BLU. Instead, it appears that a backdoor was purposefully installed without the knowledge of retailers or the customers eventually relying on those devices.

“Intentional or not, these hidden backdoors can be dangerous as adversaries can become aware of their existence and use them to intercept traffic or disable a communications system in a way that firewall and intrusion detection systems aren’t able to detect,” said Kevin Kelly, CEO of supply chain cybersecurity firm LGS Innovations.

Krptowire shared a report with U.S. officials before publishing its blog post. The Fairfax, Va.-based cybersecurity firm’s research became public Tuesday.

A lawyer for Anups characterized the incident as a “mistake,” telling the New York Times that the software was designed to help this specific client improve customer support tools.

“There are many Android devices that depend on different software manufacturers as part of their supply chain. Google has the Google Mobile Services certification process and compatibility process. [But] these processes are not designed for security and privacy. The disconnect in this case is between the device manufacturer and their firmware supplier AdUps. Also, Google’s device testing and certification processes appear to have missed the PII collection and transmission,” Karygiannis said.

The National Counterintelligence and Security Center, a U.S. government agency that recently shared information on how U.S. businesses can better manage supply chain security from threats like the aforementioned introduction of malicious computer code, declined to comment for this story.

“The scope of this issue [malicious backdoors] has risen dramatically in recent years as cell phones and network devices become more complex, containing millions of lines of code in their source code. The origin of this code can span dozens of developers across countries that have varying levels of security controls,” Kelly told CyberScoop.