Summary


During our security research we found that smart phones with Qualcomm chip secretly send personal data to Qualcomm. This data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because the Qualcomm chipset itself sends the data, circumventing any potential Android operating system setting and protection mechanisms. Affected smart phones are Sony Xperia XA2 and likely the Fairphone and many more Android phones which use popular Qualcomm chips.

Introduction

The smartphone is a device we entrust with practically all of our secrets. After all, this is the most ubiquitous device we carry with us 24 hours per day. Both Apple and Android with their App Store and Google Play Store are spying on its paying customers. As a private alternative some tech-savy people install a Google-free version of Android on their ordinary smartphone. As an example we analyzed such setup with a Sony Xperia XA2 and found that this may not protect sufficiently because hardware with firmware beneath the operating system send private information to the chip maker Qualcomm. This finding also applies to other smartphone with a Qualcomm chip such as the Fairphone.

What is a de-Googled Android phone?

A deGoogled Android phone is one that has been modified to not include any of Google’s proprietary (closed-source) apps or services. This usually involves installing a custom ROM that replaces the standard Android software with an open source Android that doesn’t come with any of Google’s apps. You can either install such an Android yourself or buy a phone that already has this done for you (e.g. NitroPhone).

Google surveillance & tracking tools are everywhere but most of this ‘evil’ is located inside the Google Play Services, which is closed-source. Millions of lines of code that include things like constantly scanning your surroundings for Bluetooth and WiFi devices, using WiFi signal triangulation, then matching the visible WiFi antennas with Google’s database of all geographic locations of all WiFi access points they collect in order to know your precise location at all times. This all works without connecting to the detected WiFi networks and even when your GPS is turned off. This method is similar to how the CIA tracked down Pablo Escobar in the 1990s but is now used on a massive scale to track every citizen around the globe.

Sample of wireless access point geolocation database www.wigle.net

Sample of wireless access point geolocation database www.wigle.net

To get rid of the almighty powerful Google and Apple and its 24 hour tracking & surveillance tools one approach is to use a de-Googled Android phone. As a result, your deGoogled phone will not have the Google Play Services and Google Play Store but will instead use an alternative open-source store app that offers the same apps. You can also avoid the use of a store altogether by downloading your apps (with the APK file extension) directly from the software vendor’s website. This is just as you would when downloading a program to install on your PC.

Analyzing a DeGoogled Phone

Sony Xperia XA2

In this test, we decided to try /e/OS, a de-Googled open-source version of Android that is privacy-focused and designed to give you control over your data. /e/OS claims that they do not track you and don’t sell your data. Let’s find out.

We installed /e/OS on a Sony Xperia XA2 smartphone. After installation, the phone boots into the /e/OS setup wizard. It requested us to turn on GPS location service, but we purposely left it off because we do not need it now.

We also didn’t place a SIM-card in the phone either so it could only send and receive data over the WIFI network which we are monitoring with Wireshark. Wireshark is a professional software tool which allows us to monitor and analyze all traffic being sent over the network.

After we provided our WiFi password in the setup wizard, the router assigned our /e/OS de-Googled phone a local IP address and it started generating traffic.

The first DNS requests we see:

[2022-05-12 22:36:34]    android.clients.google.com
[2022-05-12 22:36:34]    connectivity.ecloud.global

Surprisingly, the deGoogled phone’s first connection is to google.com. According to Google, the host android.clients.google.com serves the Google Play Store for periodical device registration, location, search for apps and many other functions. This is strange because we have a deGoogled phone without the Google Play Store.

Then it connects to connectivity.ecloud.global which, according to /e/OS, replaces Android’s Google server connectivity check connectivitycheck.gstatic.com. This makes us wonder. /e/OS did replace Google’s connectivity check, but did they somehow miss out to replace the Google Play Store URL?

Two seconds later the phone started communicating with:

[2022-05-12 22:36:36]    izatcloud.net
[2022-05-12 22:36:37]    izatcloud.net

We are not aware of any company or service with the name izatcloud.net. Therefore we started searching through the /e/OS legal notice and privacy policy but found no mention of data sharing with the Izat Cloud. The /e/OS privacy policy clearly states “We do not share any individual information with anybody”. We then searched through the /e/OS source-code they make available on Gitlab and we were unable to find any references to the Izat Cloud.

A quick WHOIS lookup shows us that the izatcloud.net domain belongs to a company called Qualcomm Technologies, Inc. This is interesting. Qualcomm chips are currently being used in ca. 30% of all Android devices, including Samsung and also Apple smartphones. Our test device for the /e/OS deGoogled version of Android is a Sony Xperia XA2 with a Qualcomm Snapdragon 630 processor. So there we have a lead. As our /e/OS has been completely de-Googled we assume that the first connection to android.clients.google.com must also come have come directly from Qualcomm’s firmware.

Is Qualcomm spying on us?

Investigating this further we can see that the packages are sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS. That means that anyone else on the network, including hackers, government agencies, network administrators, telecom operators, local and foreign can easily spy on us by collecting this data, store them, and establish a record history using the phone’s unique ID and serial number Qualcomm is sending over to their mysteriously called Izat Cloud.

The data sharing with Qualcomm is not being mentioned in the terms of service from Sony (the device vendor) or Android or /e/OS either. Qualcomm does this without user consent.

We believe this is against the General Data Protection Regulation (GDPR) to collect user data without their consent and contacted Qualcomm’s Legal Counsel about the matter. A few days later they answered and informed us that this data collection was in accordance with the Qualcomm Xtra privacy policy and they shared us a link to their XTRA Service Privacy Policy. So it appears to be that this Izat Cloud we never heard of is part of the XTRA Service we’ve never heard of either. We have the impression that Qualcomm likes to keep things mysterious, hence the name Izat Cloud and the XTRA Service.

Looking at the link Qualcomm sent us, the ‘XTRA Service’ privacy policy states:

“Through these software applications, we may collect location data, unique identifiers (such as a chipset serial number or international subscriber ID), data about the applications installed and/or running on the device, configuration data such as the make, model, and wireless carrier, the operating system and version data, software build data, and data about the performance of the device such as performance of the chipset, battery use, and thermal data.

We may also obtain personal data from third party sources such as data brokers, social networks, other partners, or public sources.”

They do not mention IP address but we assume they collect that as well. After our research was completed they’ve updated the privacy policy and now added that they do also collect the device’s IP address. They also added the information that they store this data for 90 days for ‘quality purposes’.

To clarify, here a list of the data Qualcomm may collect from your phone according to their privacy policy:

  1. Unique ID
  2. Chipset name
  3. Chipset serial number
  4. XTRA software version
  5. Mobile country code
  6. Mobile network code (allowing identification of country and wireless operator)
  7. Type of operating system and version
  8. Device make and model
  9. Time since the last boot of the application processor and modem
  10. List of the software on the device
  11. IP address

Digging a little deeper we’ll find out that the ‘XTRA Service’ from Qualcomm provides Assisted GPS (A-GPS) and helps provide accurate satellite positions to a mobile device.

What is Assisted GPS (A-GPS), and why do I need it?

GPS was initially developed exclusively for military usage, guiding planes, personnel, and bombs. Receivers were typically positioned in open regions with line-of-sight access to satellites. Since GPS became available for commercial usage, however, new applications have increased the system’s requirements.

These new uses required GPS signals to penetrate overhead obstructions, such as trees and roofs. Thus, the “assisted GPS” or A-GPS solution was born. With A-GPS the phone downloads various files containing orbits and statuses of satellites with the approximate GPS satellite locations for the next 7 days to help quickly determine phone’s location.

The Covert Operating System

The Qualcomm’s XTRA service is not part of /e/OS or Android but runs directly from the Qualcomm firmware which they call AMSS. What happened is that in addition to the user-facing operating system (Android, iOS) and the Linux kernel, the smartphone incorporates an additional, low level firmware or blobware. This covert operating system operates on the broadband processor (modem) and manages the real-time communication with the cell towers.

During operation, the covert operating system (AMSS) has complete control over the hardware, microphone and camera. The Linux kernel and deGoogled /e/OS end-user operating system function as a slave on top of the hidden AMSS operating system.

The consequences are that even with a deGoogled device we still have no full control on our privacy and which personal identifiable information (PII) is being shared because of this closed-source blobware underneath that is sharing our private data.

Are other smartphones affected?

Another popular option which is frequently chosen for its privacy is the Fairphone. The Dutch company produces excellent phones allowing users to maintain the phone and replace parts themselves when broken. In spite of its reputation for bolstering users’ privacy, all Fairphone models contain a Qualcomm chip probably loaded with the AMSS blobware. The Fairphone has therefor the same issue with sharing of personal data with the Qualcomm XTRA Service. Although not tested, we suspect that the same privacy issues affect many other choices of smartphone brands that use Qualcomm processors, including so called encrypted phones or crypto phones.

NitroPhone is secure

NitroPhone 3 ProNitrokey’s NitroPhone does not contain the Qualcomm chipset and our tests confirm that when GPS is turned-off, no requests for A-GPS are being made. When GPS is turned-on, to prevent Google from obtaining and storing your IP address, the NitroPhone’s GrapheneOS contacts and downloads the A-GPS files from google.psds.grapheneos.org, a proxy server supplied by GrapheneOS to protect users’ privacy. And unlike Qualcomm, GrapheneOS does not share any personal information with the GrapheneOS proxy servers, nor with Google or Qualcomm.

Furthermore, GrapheneOS allows you to disable the feature to request A-GPS files (opt-out) or, if you prefer, to use Android’s standard servers agnss.goog. At the moment, neither /e/OS, Lineage, or Sailfish OS nor any other phone we could find, supports this feature or provides this level of freedom.

Conclusion

Qualcomm’s proprietary firmware is not only downloading some files to our phone to help establish the GPS location faster, but also uploads our personal data, such as the devices’ unique ID, our country code (Germany in this case), our cellphone operator code (allowing identification of country and mobile operator), our operating system and version and a list of software on the device. This creates a completely unique signature of us enabling behavioral tracking and decreasing user’s privacy significantly. No matter if we have GPS turned-off.

The fact that Qualcomm collects a large amount of sensitive data and transmits it via the insecure and outdated HTTP protocol shows us that they do not care about users’ privacy and security. This doesn’t require to speculate of Qualcomm collaborating with various government spy agencies, but also creates a risk when the traffic is potentially intercepted also by dictators and other suppressive governments not even requiring a collaboration with Qualcomm. Not only drones make frequent use of location information to target people. There are cases where people’s kidnappings and/or assassinations have been facilitated by the use of the victims location information. A most recent example is Iran where protesters get arrested because of their smartphone location tracking. This even doesn’t require tapping the phone. The cleartext traffic is also hotbed for data brokers which sell people’s data (e.g. shopping centers).

Affected users could try blocking the Qualcomm XTRA Service using a DNS-over-TLS cloud-based block service, or re-route this traffic yourself to the proxy server from GrapheneOS, but this requires technical expertise and does not provide the same level of security as the NitroPhone.



Author


Paul Privacy is an independent security researcher with a focus on privacy and helping others to obtain privacy on their phones and computers. Because privacy is cool. And being spied on is NOT cool. Be private. Be Cool. For a free consult you can contact me at: paulprivacy@posteo.ch or follow me on Twitter at @PaulPrivacyCool

Read More