Android has been plagued by malware, security vulnerabilities, and now, privacy issues. It started with HTC’s logging application which over-zealously logged aspects of phone use in insecure ways which made that data accessible by any application, and more recently has come to a head with the discovery of the carrier IQ application.
The Carrier IQ application is supposedly a diagnostic tool which sits on a variety of phones including Android, iPhone, and some “feature” phones. This diagnostic tool is sold to handset manufacturers or service providers and placed in the firmware of the phones shipped to the users. In the Android incarnation of the software, it is enabled by default and can log extremely detailed information about users. The application is somewhat hidden and cannot be turned off or uninstalled without having rooted the phone. These behaviors are fairly consistent with behaviors of advanced malware or even rootkits, and is a gross invasion of privacy due to the kinds of information it collects.
The application collects the following data:
- Phone Keypad Presses
- Website URLS (regardless of https encryption)
- Home/Properties/Back/Search button presses
- Battery State Changes
And requests access to many hardware and system resources in Android, including “services that cost you money” and “personal information”.
Admittedly, the collection of location on its own may not be a big deal to many people, but the fact that it is collecting URLs which should be encrypted is a problem. This could expose sensitive user credentials. Collecting phone call key presses is even worse because it can easily collect banking PINs, credit card numbers, passwords, and more. The application even has access to sound and recording functionalities, which means it could be turned into an all-in-one surveillance device.
There is absolutely no reason for a diagnostic application to collect the amount of data it is collecting. There is no reason for a diagnostic application to record key-presses or any other user action when crash reports are readily available from the phones operating system. This should not have happened.
Wired has managed to put together a list of phones and carriers which do not run the malicious software on their phones. Check to see if you have a secure device or carrier here.
More interesting is that this just now started to become news. Forum posts from before October indicate that some power-users of Android devices have noticed this software operating in the background of their phones since March of this year. See the original posts here.
Some software to detect installs of Carrier IQ has been developed by the author of the initial research and can be found HERE (The tool has been around since mid-November). However, note that it may not find all instances of the application, as its installation files can be in different locations from phone to phone. If you have a rooted phone, the application will also search for several other known logging services and display their collections as well.
Note: This affects iPhone and some Android Users, but the iPhone incarnation of the application is harmless when compared to its Android version. It is not on by default, and can be disabled easily. iPhone users can disable CarrierIQ with a few simple steps (as opposed to removal on android, which requires root access) see directions from ZDNet.