Smartphones made for the China home market are full of it (Spyware)

Three UK researchers have discovered that smartphones made for the China home market are packed with mandatory spyware. Things the West would never tolerate.

Haoyu Liu, Paul Patras (both from the University of Edinburgh, UK) and Douglas J. Leith (Trinity College Dublin, Ireland) released an extensive study of smartphones made for the China home market, including Hong Kong and Macau).

They found an alarming number of preinstalled system, vendor, and third-party Apps with dangerous privileges. Traffic analysis reveals that these transmit privacy-sensitive data to third-party domains. Things like – the user’s device (persistent identifiers); geolocation (GPS coordinates, network-related identifiers); user profile (phone number, app usage); and social relationships (e.g., call history), without consent or even notification.

Relax – This is for the China home market only (or is it?)

China is the largest global Google Android market (Android accounts for 70% of phones). Since 2014 Google Mobile Services (GMS), Google Play Services (Apps) and YouTube are not accessible in China. Chinese smartphone makers and developers have a comprehensive set of Google App suite substitutes. Huawei supplies its Google-like Mobile Services (like Maps, Finance, Search etc.) and App Stores like Baidu. Google provides security patches to smartphone makers that may or may not roll them out to users.

Under Made in China 2025 – a policy with intended consequences (opinion), smartphones made for the China home market must run a Chinese-developed/sanctioned Android fork. In preparation, all Chinese smartphone makers have developed User Interfaces that can sit on top of either Google Android or likely Huawei’s Harmony OS Android fork.

Don’t worry; Western markets still get Google Android and all its services. All you must be concerned about is Google using your data for targeted advertising.

What the researchers found for Smartphones made for the Chinese home market

They analysed three of the most popular Android phones sold in China – OnePlus (Oxygen OS), Xiaomi (MIUI) and Realme (realme UI). The brands and models are immaterial – it applies to all handsets for the home market.

All devices were factory reset, had updated firmware, opted out of analytics, personalisation, location, diagnostics, cloud storage, recommended third-party Apps, vendor accounts and much more*. No SIM card was inserted. The test was via a VPN Tunnel (on UK Broadband networks) to a Chinese Huawei cloud. In other words, as clean as possible and emulates a local Chinese user.

A tsunami of data constantly flowed from each phone to the vendor, third parties, China Mobile, China Unicom (no SIM and mobile data disabled), Baidu and CCP-related parties, including:

  • Persistent device identifiers (IMEI, MAC address, etc.)
  • Location identifiers (GPS coordinates, mobile network cell ID, Wi-Fi access points, etc.)
  • User profiles (phone number, installed Apps, app usage patterns, app telemetry)
  • Social connections (call/SMS history/time, contact list, phone numbers, etc.)
  • Citizen ID (a unique tracking ID for each Chinese inhabitant) that deanonymises the data making it personally identifiable.

The worrying thing was that this test was in the UK with no mobile data services enabled, yet China’s government-owned Telcos also got that information. Chinese international students, businesspeople, government officials and travellers, take note!

* What system apps track you regardless of permissions

During the device setup stage, the user must agree with the terms/conditions and to a customised set of options. The researchers acted as privacy-aware users and unchecked all the options presented by the OS. But the following (and more) surreptitiously transmit data.

  • Turn On Screen to Activate
  • Location.
  • Send Usage data.
  • Send Diagnostic data.
  • Automatic System Updates.
  • User Experience Program.
  • System Navigation Mode.
  • Automatically Select the Best Wi-Fi.
  • Automatically Switch to Mobile Network.
  • Lock Screen Magazine.
  • Auto Update Overnight.
  • Learn Swipe Gestures.

It gets worse – preinstalled system Apps are rampant with spyware

A comparison of preinstalled system apps on the Chinese (CN) with Global (e.g., EU) Android OS distributions found that there were three to four times more preinstalled third-party apps, given eight to ten times as many permissions, including those classed as dangerous by Global distributions.

Even simple preinstalled system apps like Browser, Maps, Camera, Clock, Weather, Notes, Files, Photos, Recorder and more gather and transmit data. The China version of the Goodix Fingerprint reader driver requires permission to access the Calendar, Camera, Contacts, Messages, Call log and Audio recording. Why when it merely unlocks the device?

Their summary: pre-installed third-party apps ask for a significantly larger collection of permissions, including dangerous permissions, than Global distributions.

Please sign in to our User Experience Program for benefits – a big no!

Creating a user account using Facebook, Google, or email requires disclosing personal information linked to device identifiers. If used for mobile payments, it becomes linked to a person’s financial details (e.g., credit card).

Then there are the third-party data-harvesting apps

Smartphones made for the Chinese home market have Chinese input apps (keyboard, touch, and voice), video streaming Apps (such as Youku and Tencent TV), Domestic Map apps (e.g.,
Baidu Map and AMap), WeChat/Pay, Chinese News, video streaming, online shopping apps and many more. ByteDance (TikTok) is also usually pre-installed.

It is no secret that Chinese-made smartphones track activists in Hong Kong and Uyghurs and keep tabs on its citizens via the Study the Great Nation App. Analysis of the mandatory app shows:

  • A backdoor granting complete remote administrator-level access to a user’s phone.
  • Actively scans apps, comparing them to a blacklist.
  • Uses weak cryptographic algorithms in areas containing sensitive user data.
  • Sends daily, detailed user app logs, including a wealth of user data and app activity.
  • Tracks the phone (IMEI, device model, brand, device ID, AppKey, rooting status); Connection information (Wi-Fi-SSID, carrier, VPN-check); User information (UIDs, cookies, session-IDs, Event-, Page- and Track-IDs, calls, call statistics, contacts); Location; Running processes and services.

All athletes at the 2022 Chinese Winter Olympics had to download the My2022 App. It was subsequently identified as spyware with numerous remote capabilities – make phone calls, connect to Wi-Fi, open GPS, get clipboard data, and more. Some of that was athlete medical and sports performance data.

These have dangerous permissions, including reading/writing call logs and contact lists. They exfiltrate encrypted PII data to who knows where using who knows what hardwired back doors. You cannot close any of these back doors.

Who gets access to what?

First, remember that any Chinese company must comply immediately with Chinese Communist Party (CCP) requests to view data – no ifs or buts. The study found that all smartphone data made for the Chinese home market must be stored in Chinese clouds on the Chinese mainland under the China Data Protection (CDP) Law.

It found that Global handsets used server clouds outside China to circumvent CDP.

Researcher Summary

China OS distributions transmit a much larger range of PII to backend servers than Global distributions do, even though the same companies develop them. This is facilitated by

1) the granting of dangerous permissions to some pre-installed apps by default;

2) several preloaded third-party apps are allowed to run continuously in the background. The user cannot disable these.

CyberShack’s view – Don’t buy smartphones made for the China home market

First, let’s be 100% clear. This issue is only for all smartphones sold in China and its territories or bought grey market. It is not a witchhunt for certain brands because, as the OPPO Global model image above shows, these are all clear.

We won’t comment on the eventual good or evil use of the PII data of Smartphones made for the China home market. What is concerning is the lack of privacy Chinese people have compared to the relatively benign advertising-led data collection of Global handsets.

A few years ago, we would have said something like, “Mr and Mrs Wang are not interesting enough to spy on.”

But add in the tremendous advances in AI, machine learning, computing power, speech-to-text transcription, photo identification, and you start to see the dark side of all this data.

They (whoever they are) know:

  • Your exact location (well, your phone’s location) and when you do things (break curfew or leave an area).
  • Everything you search for.
  • Every word you say and to whom (contacts).
  • Extrapolate by cross-referencing social media for your political, gender, and race sympathies.
  • What you spend (Baidu Pay)
  • And so much more as smartphones become the only way to access ‘life’.

It also shows that Western users need to learn how to tighten privacy because system apps can track you even if you opt out of the more obvious privacy permission requests.

And this is not just Android. China’s version of iOS is equally tainted.

Further reading

Don’t buy a grey market phone (guide)

Are Chinese-made smartphones spying on me?

How to minimise the risk of smartphone snooping (Android privacy tips guide)