Well, that was quick!On Nov 07, 2016 my article about the Doogee T3 went online on Engadget Open Accessin which I said
...I have not seen any evidence that any data is funnelled through to diverged to China. There appears to be no Malware on the phone [sic]...
and about a week later (Nov 15, 2016), however, another article appeared on the Kryptowire.com website and suggested they had identified
...several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers
This was due to a piece of firmware from Shanghai's Adups Technology Co. Ltd. that allows over-the-air-firmware upgrades. And to demonstrate the scale of the problem: Adups Technology Co. Ltd claims to have a
world-wide presence with over 700 million active users
And my Doogee contained that piece of software:
MacBook-Air:~ martin$ adb shell ps com.adups.fota USER PID PPID VSIZE RSS WCHAN PC NAME system 7463 314 1610208 27716 SyS_epoll_ 0000000000 S com.adups.fota.sysoper u0_a28 31265 314 1617532 34592 SyS_epoll_ 0000000000 S com.adups.fota MacBook-Air:~ martin$D'oh! Word got out quickly that my new phone was "rooted and sending all [my] data back to China".
But does it?
As I said, I had not seen any suspicious activity on my router - although that is what triggered the Kryptowire investigation. And I even installed a firewall on the phone that lights up every time something wants to talk to the internet. Nothing. I found no evidence of anything on my phone wants to connect to any of the IP addresses or domains listed in the article.
I contacted Doogee, but they are still to reply. I contacted Kryptowire and they quickly and very kindly offered to have a look at my firmware (which is ongoing).
Turns out only versions 5.0.x to 5.3.x of the Adups Software are affected, and I am not running any of them -- I am running 4.3.x -- and to find out your version you can check under Settings > Apps and head to the System apps (there is a menu item for that). Then head down to Wireless Update - there is a version number and (importantly) a Disable button.
After that check again:
MacBook-Air:~ martin$ adb shell ps com.adups.fota USER PID PPID VSIZE RSS WCHAN PC NAME MacBook-Air:~ martin$ And it is gone.
So what happened there?
My reading of it all is this: Adups is a genuine company and their software allows phone users to do firmware upgrades 'over the air', i.e. without plugging the phone into their computer. And if you make and sell mobile phones and you want to offer this ability to your customers you can put Adups's software onto the phones you sell.
And the nature of this --being able to talk to the internet, to find updates and being able to download & install new software on your phone-- put Adups in a fairly elevated position. And at some point they decided to exploit that by collecting information about you, sending that to some servers "in China" and then installing other software that displays targeted ads.
Reports of this surfaced about two years ago.
But this has not stopped some manufactures from still using and shipping that software in 2016 -- even if they claim this was only meant for specific local markets, and never meant to go "global".
But with the rise of globalisation and Amazon you can practically buy anything from anywhere, for instance, Chinese mobile phones in the UK and US. In any case it will be interesting to follow the lawsuit just filed again BLU and Adups to see how this pans out.
Any practical lessons? Well, I think you should try and keep your data safe, regardless of what your phone does, for instance by not using the standard Email client. So that at least when something does want to grab them they are in a different place. Also, running a firewall and Antivirus on your phone will help you control which application talks to the outside world, and which one does not. But for this you obviously need to know what you are looking for, as even applications that have a legitimate reason to send information might be sending the wrong things. And that is where articles like the Kryptowire one can be helpful, so keep informed - even if I think they overestimated the scale of the problem a bit. In the end you just have to trust your manufacturer, especially in a fairly open ecosystem like Android.