New Delhi, Nov 23 (IANS) News that security firm Kryptowire identified a "backdoor" spyware in Android smartphones in the US which collected sensitive personal data and transmitted it to servers in China has shaken cybersecurity experts in India -- a country where one in five smartphones are of Chinese make.
Jump-started by the US Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS), Kryptowire last week revealed that these Android devices were available through major US-based online retailers like Amazon and BestBuy and included popular smartphones such as BLU R1 HD devices.
The devices actively transmitted user and device information including text messages, contact lists, call history with full telephone numbers, and unique device identifiers to third-party servers in China without user-consent, Kryptowire claimed.
Shanghai Adups Technology Co Ltd, the Chinese company behind the spyware -- or firmware -- later admitted that it planted them in some Android phones "by mistake" but the "text messages, contacts or phone logs" were not shared with anyone else.
The revelation has raised security and privacy concerns in India. There are nearly 250 million unique smartphone users in the country and by the end of the year, there will be 280 million Indians with these devices.
"Nearly 94 per cent of these people are using Android devices and Chinese smartphone users are at roughly 60 million, which means one out of five smartphone users in India is using a 'Made in China' device. Thus, security becomes a paramount concern here," Tarun Pathak, Senior Analyst, Mobile Devices and Ecosystems at New Delhi-based Counterpoint Research, told IANS.
With digital consumption on the rise, the security risk is growing multifold.
"Indian smartphone users are at the same risk as users in the US when it comes to sensitive personal data and information being copied from phones and transmitted to undisclosed locations without their consent or knowledge. This is owing to the security vulnerabilities that exist in the Android system," explained Pavan Duggal, one of the nation's top cyber law experts.
Android is a very fertile platform with a large number of contaminants and infections. Hundreds of thousands of infections have been discovered on the Android platform in the last few years.
According to Rahul Tyagi, Vice President (Training) at IT risk assessment and digital security services provider Lucideus, Indian users share the same threat as China continues to be a major exporter of smartphones.
"Given the current market, there are a lot of new phone companies/models being launched every day with advanced features at a low price, most of them being manufactured in China -- which may put user-privacy at great risk," Tyagi told IANS.
Owing to the competition, companies are trying to give the best hardware experience to consumers but what is lacking is proper security auditing in their custom-operating systems and firmware.
"Bugs at the operating system's application layer can be tackled by using updated anti-virus and other third-party security applications, but bugs at the firmware level is beyond users' reach as they will never have direct access to the firmware," Tyagi pointed out.
The threat gets bigger with more and more people embracing mobile digital payments in the wake of demonetisation.
"Mobile continues to be an area of exposure. As we get more and more used to transactions with mobile banking or e-commerce, mobile becomes more of a financial gateway and the implications are huge," added Anand Ramamoorthy, Managing Director, South Asia, Intel Security.
What if such a data theft case is identified in India?
"If the government comes to know that Chinese smartphones are stealing users' data from their customers, then it is very apparent that our cyberlaw is not at all adequate to deal with such challenges," Duggal told IANS.
Though under the 2008 amendments to the Information Technology Act, 2000, all mobile phones, including smartphones, have been covered within the ambit of the Indian cyberlaw, the law still does not comprehensively deal with relevant issues in the mobile ecosystem.
The absence of India as a signatory to any international treaty on cybercrime further complicates the intrinsic ability of the immense law and legal frameworks to provide effective remedies against any such contravention.
"One of the biggest challenges in this regard would deal with the issue of attribution. How would the Indian agencies be able to attribute to the fact that the said misuse has been done from the indicated/suspected source. The issues pertaining to attribution need far more clarity," Duggal noted.
According to Rakshit Tandon, consultant at the Internet and Mobile Association of India (IAMAI) and a cyber security expert, the threat is very real for Indian users and the country lacks a sufficient law framework to tackle the situation.
"Thus, it is challenging for the Centre/state governments to ward off data stealing from smartphones by third-party software. We need stronger laws to apply enforcement on data stealing via such devices," he told IANS.
Keeping new-age security needs in mind, steps must be taken to make Indian cyberlaw more effective and redressal mechanisms must be built in for the users who are part of the digital and mobile ecosystem, Duggal added.
(Nishant Arora can be contacted at firstname.lastname@example.org)