Analysis

Is your Chinese smartphone spying on you?

It really might be — just not in the way you think

What if you could get a top-of-the-line Android phone equipped with the latest processor and loaded with slick new features at a steep discount? There's only one catch: It's a Chinese smartphone and the Chinese government could use it to spy on you.

These security concerns have led America's intelligence agencies to warn against using Chinese smartphone-makers Huawei and ZTE. "[A Chinese smartphone] provides the capacity to maliciously modify or steal information," FBI Director Christopher Wray told Congress last week. "And it provides the capacity to conduct undetected espionage."

So: How legitimate are these concerns? They're certainly not unfounded, but they're also more complicated than Wray's testimony alone lets on.

It's true that China has long been the most aggressive nation-state hacking U.S. businesses and the government. From stealing plans for the advanced F-35 stealth fighter to State Department files, Chinese hackers have made off with invaluable trade secrets, sensitive government data, and personnel records.

But it's also highly unlikely that the Chinese government has taken a sudden interest in hacking into the devices of ordinary Americans. That's not China's style. The country's hackers have demonstrated that their primary focus is on stealing military and trade secrets so it can rapidly develop its armed forces and key industrial sectors.

Chinese smartphones have also come under a lot of criticism for spyware. Over the last several years, there have been multiple discoveries of malware loaded on Xiaomi, Lenovo, Huawei, and other Chinese smartphones.

In 2016, for instance, the mobile security firm Krytpowire uncovered Chinese malware on as many as 700 million budget Android devices. Hidden in a benign support app, the pre-installed, third-party software would secretly send full text messages, contact lists, call history, location data, and other sensitive information to a server in Shanghai every 72 hours. The offending company, Shanghai Adups Technology Co., was reportedly using the data to tailor advertising to users; it claimed the app was only intended for the Chinese market and that a small number of America-bound phones were loaded with it due to a glitch.

Chinese malware hidden in smartphones certainly sounds suspicious, but it's hardly a smoking gun. After all, the greatest threats that computers and mobile devices around the world faced in the past year, Spectre and Meltdown, stemmed from security flaws in American-made chips.

But in the Adups example lies the real problem with Chinese smartphones: data.

For phones to function properly, many core processes require access to your location data, calls, and messages. This is as true of the humble Huawei Honor 7 as the elite Apple iPhone X. So while many Chinese smartphones don't actively use any Chinese apps, as the Adups case reveals, they still have firmware and other relatively innocuous pre-loaded background software that communicate with servers in China.

And unlike America, China lacks data protections.

"The line between private companies and state institutions is often quite blurred," said Maya Wang, a researcher from Human Rights Watch. "In theory, there are protections on citizens' data, but in practice there are no controls about how this data may be used."

Chinese tech companies play a central role in the government's far-reaching surveillance apparatus that closely monitors what its citizens are doing and saying online. Under China's sweeping cybersecurity law, companies are required to give authorities full access to its data upon request.

So when it comes to Chinese-made smartphones, the worry is less about nefarious hackers hiding malware on phones, and more about where data from mundane apps is going.

When a person sets up their new phone and taps "I agree" on the confidentiality agreement, they are essentially handing over their personal data to whoever made their phone. And when in comes to Chinese companies, that might be a mistake.

Recommended

Ukraine will get U.S. Abrams tanks, Patriot missiles sooner than expected
Abrams M1A2 tank in Poland
Armor Away

Ukraine will get U.S. Abrams tanks, Patriot missiles sooner than expected

Ukraine hints it destroyed Russian missile shipment in Crimea
China's Xi Jinping and Russia's Vladimir Putin
Awkward

Ukraine hints it destroyed Russian missile shipment in Crimea

What should the Fed do about interest rates?
Federal Reserve logo
Today's big question

What should the Fed do about interest rates?

Dissecting the Credit Suisse deal
The Credit Suisse logo in an illustration.
Briefing

Dissecting the Credit Suisse deal

Most Popular

Russia's spring Ukraine offensive may be winding down amid heavy losses
Ukrainian tank fires near Bakhmut
Attrition

Russia's spring Ukraine offensive may be winding down amid heavy losses

Adam Gopnik recommends 6 classic books for literature fans
Adam Gopnik.
Feature

Adam Gopnik recommends 6 classic books for literature fans

Nearly 200 banks at risk of SVB-type collapse, study finds
Bank ATM.
not fun to hear

Nearly 200 banks at risk of SVB-type collapse, study finds