There’s new research suggesting that users of some of the best Android devices sold in China are coming with preinstalled spyware apps that track and collect users’ data.
The study, published by computer scientists at several different universities, reveals that handset makers such as Xiaomi, OnePlus, and Oppo Realme are collecting massive amounts of sensitive user data via their respective operating systems, and the same goes for a variety of apps that come pre-installed on the phones. In that sense, the researchers worry that the devices in question “send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators.” Moreover, since the private industry in China has a close relationship with the government, chances are that some of that data also ends up in the authorities’ repositories.
“Overall, our findings paint a troubling picture of user data privacy in the world’s largest Android market and highlight the urgent need for tighter privacy controls to increase the ordinary people’s trust in technology companies, many of which are partially state-owned,” the researchers write.
Researchers experimented with several devices and conducted network analysis on them to understand relevant data leakage. In general, they assumed that the device operator would be a “privacy-aware consumer” who has opted out of sending analytics and personalization data to providers and doesn’t use cloud storage or “any other optional third-party services.”
The PII collected included sensitive stuff such as including basic user information like phone numbers and persistent device identifiers (IMEI and MAC addresses, advertising IDs, and more), geolocation data, and data related to “social connections” like contacts and their details, the study found. As a result, the recipients of this data would have a pretty clear picture of who is using a particular device, where they are doing it, and who they’re talking to. Moreover, since phone numbers in China are also tied to an individual “citizen ID”, the government can pinpoint every user.
The problem is that all this data is being collected without any user notification or consent, and there’s no way to opt out of this data collection. Plus, this data harvesting doesn’t stop when the device and the user exit China, even though different countries have different privacy laws that should impact how information is collected.
Researchers found that data was sent to Chinese mobile operators even when they weren’t providing service, like when there was no SIM card.
Now, it’s no secret that the Chinese government is harvesting data at a vast scale. However, it is troubling that they have recently passed a GDPR-style privacy law that is supposed to protect Chinese consumers from data collection without consent.
We must add that these data harvesting practices have only been caught in Chinese phones that are sold in China. We doubt they do the same with the phones sold through official retail channels in Europe and the U.S., as the user must approve any data collection; otherwise, the EU or the U.S. won’t allow said devices to be sold in their respective markets.
Also, this is another warning for us to be careful about what we buy and where to buy it from. So instead of getting your gear from Aliexpress to save a few dollars/euros, you should buy your devices from official retailers in your country. And, of course, install a VPN on the device when you have it in your hands. 😉