中国公司被指在安卓手机留“后门”

WASHINGTON — For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.

华盛顿——花大约50美元(约合340元人民币)，你就可以买到一部带有高清显示和快速数据服务的智能手机。从事信息安全工作的承包商说，这种手机还有一种秘密功能：它有一个后门，会每隔72小时就把你所有的短信都发送到中国。

Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.

从事安全工作的承包商最近在一些安卓(Android)手机上发现了预装软件，这种软件监视用户去过哪里，他们与什么人聊过天，他们在短信中写了什么。美国当局表示，尚不清楚这是一种为了广告目的而秘密进行的数据挖掘，还是一种中国政府收集情报的努力。

International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.

受这种软件影响最大的是国际客户、临时手机用户以及预付话费的用户。但还不清楚其影响范围有多大。这个软件是中国的上海广升信息技术有限公司(Adups)编写的，该公司称其代码在超过七亿部手机、汽车和其他智能设备上运行。美国手机制造商BLU产品公司表示，其12万部手机受到影响，公司已更新了软件，删除了这个功能。

Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’t have known about it,” he said.

发现该漏洞的信息安全公司Kryptowire说，广升的软件将短信的全文、联系人名单、通话记录、位置信息，以及其他数据传输到一个中国的服务器上去。Kryptowire副总裁汤姆·卡拉吉安尼斯(Tom Karygiannis)说，代码是预装在手机上的，但没有向用户披露这种监视功能，Kryptowire公司位于弗吉尼亚州的费尔法克斯。“即使你想知道，你也不可能知道有这个东西，”他说。

Security experts frequently discover vulnerabilities in consumer electronics, but this case is exceptional. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior, according to a document that Adups provided to explain the problem to BLU executives. That version of the software was not intended for American phones, the company said.

虽然信息安全专家经常在消费者电子产品中发现漏洞，但这次的情况很特别。这不是一个程序错误。相反，据广升向BLU高管提供的解释这个问题的文件，广升有意设计了这个软件，以帮助中国手机制造商监视用户行为。广升表示，带有上述功能的软件版本原本不是为美国手机写的。

“This is a private company that made a mistake,” said Lily Lim, a lawyer in Palo Alto, Calif., who represents Adups.

“这是家犯了错误的私人公司，”加利福尼亚州帕洛阿尔托的律师林丽丽(Lily Lim)说，她是广升的法律代理。

The episode shows how companies throughout the technology supply chain can compromise privacy, with or without the knowledge of manufacturers or customers. It also offers a look at one way that Chinese companies — and by extension the government — can monitor cellphone behavior. For many years, the Chinese government has used a variety of methods to filter and track internet use and monitor online conversations. It requires technology companies that operate in China to follow strict rules. Ms. Lim said Adups was not affiliated with the Chinese government.

这个问题显示了处在整个技术供应链中的公司，如何能够在制造商或用户知情或不知情的情况下侵害隐私。它也让人看到了中国公司——进而延伸到中国政府——可以监视手机的一种方式。多年来，中国政府一直在使用各种方法来过滤和跟踪互联网的使用，监视在线对话。政府要求在中国经营的技术公司遵守严格的规则。林丽丽说，广升不隶属于中国政府部门。

At the heart of the issue is a special type of software, known as firmware, that tells phones how to operate. Adups provides the code that lets companies remotely update their firmware, an important function that is largely unseen by users. Normally, when a phone manufacturer updates its firmware, it tells customers what it is doing and whether it will use any personal information. Even if that is disclosed in long legal disclosures that customers routinely ignore, it is at least disclosed. That did not happen with the Adups software, Kryptowire said.

这个问题的核心是一种被称为“固件”的特殊类型软件，固件告诉手机如何进行操作。广升提供的代码让公司能远程更新其固件，这是一个用户基本上看不到的重要功能。通常，当手机制造商更新其固件时，它会告诉用户做了什么，也会告诉用户它是否将使用个人信息。尽管用户通常对这种很长的法律声明文本毫不关心，但毕竟告知了用户。广升的软件则未作有关声明，Kryptowire说。

According to its website, Adups provides software to two of the largest cellphone manufacturers in the world, ZTE and Huawei. Both are based in China.

据广升的网站，该公司向世界上两家最大的手机制造商中兴和华为提供软件。这两家公司都在中国。

Samuel Ohev-Zion, the chief executive of the Florida-based BLU Products, said: “It was obviously something that we were not aware of. We moved very quickly to correct it.”

位于佛罗里达州的BLU产品公司的首席执行官塞缪尔·奥赫夫-锡安(Samuel Ohev-Zion)说：“这显然是我们不知道的事情。我们非常迅速地进行了纠正。”

He added that Adups had assured him that all of the information taken from BLU customers had been destroyed.

他补充说，广升已向他保证，从BLU客户那里获得的所有信息都已被销毁。

The software was written at the request of an unidentified Chinese manufacturer that wanted the ability to store call logs, text messages and other data, according to the Adups document. Adups said the Chinese company used the data for customer support.

据广升提供的文件，这款软件是根据一个未指明的中国制造商的要求编写的，该制造商希望软件有存储通话记录、短信消息和其他数据的功能。广升说，中国公司使用这些数据提供客户支持。

Ms. Lim said the software was intended to help the Chinese client identify junk text messages and calls. She did not identify the company that requested it and said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.

林丽丽说，该软件的目的是帮助中国客户识别垃圾短信和电话。她没有给出提这个要求的公司的名字，并表示不知道有多少手机受了影响。林丽丽称，向用户声明隐私政策的责任在电话公司，不在广升。她说，“广升只不过是按照电话分销商的要求提供功能而已。”

Android phones run software that is developed by Google and distributed free for phone manufacturers to customize. A Google official said the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store. That would not include devices in China, where hundreds of millions of people use Android phones but where Google does not operate because of censorship concerns.

安卓手机用的软件是谷歌(Google)开发的，并免费提供给手机制造商按照自己的需要改制。一名谷歌负责人表示，公司曾告诉广升，让其把监视功能从运行Google Play商店等服务的手机上删除。但这不会包括中国的设备，虽然中国有数亿人使用安卓手机，但由于审查的原因，谷歌不在中国运营。

Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.”

由于广升尚未发布受影响手机的名单，目前不清楚用户如何能确定他们的手机是否有问题。“有点技术能力的人也许能自己解决，”Kryptowire副总裁卡拉吉安尼斯说。“但一般的消费者怎么办?他们没有办法。”

Ms. Lim said she did not know how customers could determine whether they were affected.

林丽丽说，她不知道用户怎样能确定他们是否受到影响。

Adups also provides what it calls “big data” services to help companies study their customers, “to know better about them, about what they like and what they use and there they come from and what they prefer to provide better service,” according to its website.

广升还提供被称为“大数据”的服务，帮助公司研究其客户，“更好地了解他们，了解他们喜欢什么、他们使用什么、他们从哪里来，还有他们的喜好，以为他们提供更好的服务，”公司的网站说。

Kryptowire discovered the problem through a combination of happenstance and curiosity. A researcher there bought an inexpensive phone, the BLU R1 HD, for a trip overseas. While setting up the phone, he noticed unusual network activity, Mr. Karygiannis said. Over the next week, analysts noticed that the phone was transmitting text messages to a server in Shanghai and was registered to Adups, according to a Kryptowire report.

Kryptowire发现这个问题的过程既带有偶然性，也受到好奇心的驱使。卡拉吉安尼斯说，公司的一名研究员为一次海外旅行买了一部便宜的BLU R1 HD手机。在设置手机时，这名研究人员注意到不寻常的网络活动。据Kryptowire的报告，在接下来的一周里，分析师注意到该手机在向位于上海的一个服务器发送短信内容，该服务器注册在广升名下。

Kryptowire took its findings to the United States government. It plans to make its report public as early as Tuesday.

Kryptowire已把这一发现上报了美国政府。公司计划最早在周二公布其报告。

Marsha Catron, a spokeswoman for the Department of Homeland Security, said the agency “was recently made aware of the concerns discovered by Kryptowire and is working with our public and private sector partners to identify appropriate mitigation strategies.”

美国国土安全部发言人玛莎·卡特伦(Marsha Catron)说，国土安全部“最近获悉了Kryptowire发现的问题，正在与我们的公共和私营部门合作伙伴一起确定适当的缓解策略。”

Kryptowire is a Homeland Security contractor but analyzed the BLU phone independent of that contract.

虽然Kryptowire是一家国土安全部的承包商，但公司对BLU手机的分析是独立于政府合同进行的。

Mr. Ohev-Zion, the BLU chief executive, said he was confident that the problem had been resolved for his customers. “Today there is no BLU device that is collecting that information,” he said.

BLU首席执行官奥赫夫-锡安说，他确信公司已经为客户解决了这个问题。“如今已经不存在收集这些信息的BLU设备了，”他说。