Are Chinese-made smartphones spying on me?

There is a lot of FUD – fear, uncertainty, and deception – about Chinese-made smartphones spying. It is liberally spread by some media on the payroll of non-Chinese companies wanting to cash in on the rising anti-China sentiment. It is all bovine-excrement.

CyberShack is not a political publication. Any China sentiment you may have, or not, is based on your take on Chinese attitudes to Australia’s exports, potential annexation of Taiwan, alleged repression of Uyghurs, and the increasing presence in the South Pacific.

This is a detailed article, so if you want the spoiler: Chinese-made smartphones are not spying on you.

Define spying

Every smartphone, Chinese or not, ‘spies’ on you. By spying, it tracks time, location, device ID/Details/IMEI, and so much more. The real question is where that metadata ends up (discussed later).

Telstra/Optus/Vodafone need device/location details to allow you to make and receive calls/SMS. They may monetise that metadata by selling it to data brokers. Only in subpoena circumstances can law enforcement intercept your phone calls and SMS.

Apple and Google spy on you, ostensibly to help you with search, maps and more to deliver location-relevant suggestions. But they gather so much more to help them deliver relevant advertising to you and try to keep you in their ecosystems. You have to trust Apple and Google if you want to use their smartphone operating systems, and neither sell your data.

But it does not stop there.

Third-party Apps track you and monetise that data.

Smartphone makers cannot control third-party apps, even if paid to pre-install them. Our advice is to uninstall every App you do not need.

The bad guys are Facebook, Instagram, WhatsApp, Twitter, TikTok, Zoom, Weather, and thousands more that plant cookies and trackers, offering a free service in return for massive data harvesting. Ask why a flashlight needs access to the phone, contacts, photos, and operating system. It is sucking your data up and selling it.

One app is potentially dangerous – read TikTok is a wolf in sheep’s clothing – FCC commissioner calls for US ban. And we think anything related to Zuckerberg is suspect as Meta’s entire business model is to gather and monetise your data.

Google made significant security strides in Android 10/11/12 and more in Android 13 to safeguard your data and limit App permissions to what they need to operate. That is why we state that you should not use a pre-Android 10 phone.

Some smartphone makers add extra protection – Samsung Knox, OPPO (secure folders, sandbox, all extracted data is encrypted and anonymised), Motorola (Lenovo Think Shield option) and more.

Any spying is more likely to involve the User Interface (UI)

As the West has adopted Android and iOS, which US companies control, the operating system should be safe and free from spyware – apart from the data collected by Google and Apple.

Chinese-made smartphones
Google does not exist in China

Of more concern is the User Interfaces (UIs).

User Interfaces

Apart from Google Pixel and Nokia, all makers have a UI. It helps to maximise hardware performance and add value to Google Android. That is a good thing.

But some UIs go too far. For example, the first and second generations of TCL phones had a proprietary UI launcher. In 2020, it and TCL brand Alcatel was implicated in a massive Chinese spyware operation. Our review of the TCL third generation 30-series does not reveal such a launcher – it has learnt the export lesson.

 But let’s not allow any other maker off the hook either. In most cases, makers try to get you to sign into their account. Ostensibly it is for warranty registration, but it is really for marketing and tracking purposes.

For example, Samsung ties certain aspects of the phone’s operations to signing into its account. It is following Apple’s ‘walled-garden’ approach where you can’t install Galaxy apps and get some interoperability with its accessories without sign-in. We are not suggesting Samsung is spying, but it is monetising your data.

Motorola almost begs you to sign into its account during setup, but you can avoid it.

RULE: If any Android smartphone requires more than an initial Google sign-in to operate, take it back and demand your money back.

Who are the targets of spying?

More fundamental is that Joe and Jane Average don’t have anything worth spying on. They are more targets for dark-web scammers. So, relax. At worst, if a foreign government were vacuuming all your data, it would need a damned big supercomputer to make sense and labour resources beyond comprehension to exploit it.

 It is the 80/20 rule – only 20% are worth tracking. Real spying is for people of interest or influence. Politicians, senior public servants, military, big business leaders and more disturbing, their family and close friends. At any time, there are many millions of people around the world with no privacy at all.

Another category is political activists. It is no secret that Chinese-made smartphones track activists in Hong Kong and that it keeps tabs on its citizens via the Great Nation App. Analysis of the mandatory app shows

  • A backdoor granting complete remote administrator-level access to a user’s phone.
  • Actively scans apps, comparing them to a blacklist.
  • Uses weak cryptographic algorithms in areas containing sensitive user data.
  • Sends daily, detailed user app logs, including a wealth of user data and app activity.
  • Tracks the phone (IMEI, device model, brand, device ID, AppKey, rooting status); Connection information (Wi-Fi-SSID, carrier, VPN-check); User information (UIDs, cookies, session-IDs, Event-, Page- and Track-IDs, calls, call statistics, contacts); Location; Running processes and services.

All athletes at the 2022 Chinese Winter Olympics had to download the My2022 App. It has subsequently been identified as spyware with numerous remote capabilities – make phone calls, connect to Wi-Fi, open GPS, get clipboard data and more. Some of that data exfiltration relates to the Athlete’s medical and performance data.

Facts about smartphone construction

Around 80% of the world’s smartphones are Chinese-assembled. More than 90% of the components are made in China by Chinese-owned or joint-venture Chinese/international companies.

India assembles about 7% predominately from Chinese components. Vietnam has a burgeoning smartphone assembly industry using Chinese and South Korean components. Any local content is mainly plastic case mouldings and labour.

There are two huge concerns here.

First, and perhaps the biggest concern, is Made in China 2025 – a policy with intended consequences where goods for Chinese consumption must have 100% Chinese components, software, operating system and apps by 2025. The West won’t buy that.

Suppose you remove the 1.4 billion people’s domestic consumption from the equation. In that case, smartphones using Western technology like Qualcomm or Japanese or South Korean components will suddenly lose a considerable market share. The resulting decrease in the economy of manufacturing scale will lead to higher prices for Chinese and non-Chinese assembled smartphones using non-Chinese components.

Second, because of China’s component monopoly, it could feasibly cease supply if a war occurred. That is why there is a scramble to find diversified supply sources in other countries.

Made in China 2025 will cause the West to reassess the risk. Most Chinese smartphone makers with global sales are looking to alternative factory locations and components. Unfortunately, 2025 is not that far away.

That is why many Western tech companies are looking to move component manufacture from China.

What about the ‘spy’ chip?

Technically it is possible to put a ‘spy’ chip into every Chinese-assembled phone. Has it happened yet? No, and it is highly unlikely for export market phones. In any case, it is more likely to be a simple hardware processor ‘backdoor’ that may disrupt telecommunications at a sensitive time.

The practical reason is that these devices (at least the ones sold in the USA and Europe) undergo FCC and other strenuous certifications. During that process, any exfiltration of data would be obvious.

But there are two practical reasons why hardware is unlikely. First, an App is better for spying. Second, any Chinese maker/assembler would not risk its reputation and market share for ‘export’ goods. But what they may be compelled to do with Chinese consumption is another story.

Facts about Chinese-made smartphones sold in Australia

ASUS

A Taiwanese brand (Wiki), ZenFone, is assembled in Taiwan.

Apple

A US brand (Wiki), but its phones are assembled in China by Foxconn (Wiki – Chinese-owned Hon Hai Technology Group). The majority of its components are made there.

Nokia

A Finnish brand (HMD Global Wiki) and its phones are assembled in China by Foxconn. Ditto to components.

Samsung

Samsung (Wiki) is a South Korean company, and 8% of its premium phones are made there. It contracts with factories (some company-owned) in China, Taiwan, India, and Vietnam. Samsung makes some of its screens (AMOLED), RAM, Storage and Exynos Processors, but estimates are that about 60% of its smartphone components come from China.

Google

A US company (Wiki), and its Pixel 6 range is assembled in China by Foxconn. Ditto to components.

OPPO/realme/vivo – BBK

BBK (Wiki) was founded by Duan Yongping (1961), who owns part of each subsidiary along with their respective senior executives (he finances many of these share buys). At five years of age, his family was forcibly moved to Jinggangshan under the ‘May 7th Directive’, which sent intellectuals for ‘re-education’ in socialism through agricultural labour and ideological reform. I will let you draw your conclusions but let’s say there is no love lost there.

He lives in the USA and has been described as a Chinese ‘Warren Buffet’. He is a philanthropist, and his wife runs the Enlight Foundation, a US-based non-profit supporting educational groups. OPPO was built on his devotion to strict quality control and efficiency management. BBK has invested heavily in factories in India (the Reno series is made there). BBK is the world’s second-largest smartphone maker and would not risk its export markets.

Motorola

Motorola Lenovo (Wiki) has a long history. It was a Chicago-based, American brand with a long heritage back to the 1930s. The mobility division (phones) was sold to Google. After stripping it of IP and patents, the brand was on sold to Chinese-owned Lenovo to give it a foothold in the US market, as it did by buying IBM’s PC operation.

Lenovo Chair and COE Yang Yuanqing said, “The acquisition of such an iconic brand … will immediately make Lenovo a strong global competitor in smartphones. Lenovo has a proven track record of successfully embracing and strengthening great brands – as we did with IBM’s Think brand”.

Motorola (Lenovo) is the most aggressive brand chasing market share. It aims to knock BBK off as the world’s second-largest Android maker.

TCL

TCL (Wiki) was founded in 1981 as a Chinese State-owned enterprise with shares listed on the Shenzhen and Hong Kong stock exchanges. It makes TVs, smartphones, home appliances, and display panels (CSOT) and owns the Alcatel and Palm brands after relinquishing the BlackBerry brand license. Its TCL 30-series phones are its third generation under the brand.

ZTE

ZTE (Wiki) makes white label phones and modems for Optus and Telstra and sells very little under its brand – perhaps best known for its Red Magic gaming brand. It is a Chinese state-owned yet ‘privately run’ company listed on the Shenzhen and Hong Kong stock exchanges. In 2019 it was branded a national security threat in the USA along with Huawei for any involvement in its 5G network infrastructure.

Huawei

Huawei (Wiki) claims to be employee-owned. A single trade union committee owns about 99% of the shares with links to the All-China Federation of Trade Unions controlled by the Chinese Communist Party. In 2020 it was branded a national security threat in the USA along with ZTE for any involvement in its 5G network infrastructure.

Huawei cannot use Google Android or its services and uses a Linux fork called Harmony OS. Without Google, its Australian phone market share is negligible, although some NBN and Telco ISPs still sell its modems/routers. It spun off its Honor brand to get around some restrictions, but that is not sold in Australia.

Huawei, ZTE and Lenovo installed AdUps spyware in their phones before 2017, secretly sending text messages to China every 72 hours.

CyberShack’s view – Are Chinese-made smartphones spying on me?

In general, no, but the Apps could be. Read How to minimise the risk of smartphone snooping (Android privacy tips guide).

The actual legal issue is that Chinese legislation requires Chinese companies to store data on Chinese servers and give Chinese authorities the right to access it without reason. I think this quote from OPPO sums it up.

OPPO and its BBK siblings Vivo and realme operate strictly under Australian Laws and Telecommunications Regulations. We have operations in more than 50 countries and regions around the world. We comply with all local laws and regulations of the countries or regions in which we operate. Over the years, we’ve gone above and beyond, introducing new features and functionality to improve both security and the overall customer experience. As such, our customers can rest assured their data is and always will be safe and secure. To suggest otherwise is mischievous and deceptive.

Managing Director of OPPO Australia, Michael Tran

I am deeply saddened by the Chinese smartphone scaremongering ‘beat-up’ in some local IT media, regularly claiming, “Brands that are of concern are Oppo, realme, Vivo, Huawei and of huge concern are Xiaomi products … regarding spyware and concerns over privacy.”

I have had enough of WTF – recidivist ramblings, Chinese Whispers, and vendettas for payment.

But we may need to revisit this after the impact of Made in China 2025, particularly if Google Android or Apple iOS is not the operating system.

Chinese-made smartphones, Chinese-made smartphones, , Chinese-made smartphones, Chinese-made smartphones.

Brought to you by CyberShack.com.au