Sprint loaded spyware on its Android phones

Alan sez, "TechCrunch and others are reporting that a program called "Carrier IQ" that comes pre-installed on Sprint phones has some pretty amazing spyware capabilities, right down to keylogging everything you do on the phone."

Note the careful use of the words “record,” “provide,” “inspect,” and “report.” It’s obvious from this video that the application has access to the information in question, and whether it records, provides, inspects, or reports it is simply a setting they can choose. The purposes for which CIQ says their software is installed — identifying trending problems in the fleet, for instance — don’t seem to me to require the level of access the software has granted itself. Add this to the fact that users are not informed at any step of the fact that their information is passing through “quality assurance” layer (sometimes before the user layer itself is aware of it), and their indignant denial begins to ring hollow.

Furthermore, as many developers have pointed out, the mere presence of the software is detrimental. Removing the software has reportedly improved performance and battery life. Furthermore, secure handshake information over wifi is passed through the software unencrypted, something that has little to do with carrier quality assurance. And if that information is cached even temporarily, that’s a security risk.

CarrierIQ, makers of the rootkit/spyware, threatened legal action against Trevor Eckhart, the researcher who reported on this, and backed down after EFF took up his case.

Carrier IQ Video Shows Alarming Capabilities Of Mobile Tracking Software (Thanks, Alan!)


    1. This should also cause real scrutiny of what they are hard baking into the roms they force on to the phones.
      We knew in the past they would disable features the phones with advertised as having so they could make money selling ringtones, what other surprises are hidden in these roms?

      1. No kidding.  Phones like the Droid X and X2 (I carry the latter) have eFuse. Spyware is definitely a much bigger deal  Getting CyanogenMod on the phone will be, well, difficult.  Thankfully there are custom “ROM”s for the systems, despite the encrypted bootloader.  I put Liberty on mine, and my battery life has increased significantly.  Makes me wonder what was going on in the background on the Verizon-addled, Motoblur-addled Gingerbread build the phone was running before.

  1. Be aware that this is not an Android problem, but Android’s hackability means it can be discovered, whereas on Blackberry and iPhone, it’s even more buried. And I believe it goes way beyond Sprint.

    Thankfully, CyanogenMod has none of this. One more reason to Root.

    1. From what can see it relates to diagnostics and location services and it doesn’t go to the extent that Android does of capturing everything. Nevertheless, Apple has some explaining to do.

      1. Android does NOT do this on its own; this is a carrier-installed third-party piece of crapware. As other have said, the fact that this is done in Android proves the benefit of an (at least fairly) open system – we can find and disable said piece of crapware much easier than on a fruity-branded OS.

          1. From your link – ” if you want to disable Carrier IQ on your iOS 5 device,turning off “Diagnostics and Usage” in Settings appears to be enough.” 
            Appears? I’ll take the option on my Android phone to be CERTAIN that it does not exist…again, on a more open system, you’d be able to tell for sure whether it was installed and operating or not. FUD? Please.

          2. On the contrary,  your reply is the very definition of FUD. There is no such thing as a “fairly” open system; it’s like being a little pregnant–you are or you aren’t. Android isn’t Debian Linux. 

  2. So far this has been discovered on Android phones on every carrier in the US, and many other carriers around the world. CarrierIQ claims that its software runs on 140 million phones, which is clearly more than just Sprint.

    So far only Verizon has denied using CarrierIQ data, but they don’t consequently explain why the software has been found on their phones.

  3. This is why one buys an Android device…root it and own what you own.  Most devs have been keen to this sketchyness for a while.  (in my experience with an)Evo 4G with almost any custom ROM worth its weight has it removed.   Im sure any other OS (non Linux; mobile or not) has equivalent or deeper roots than this.  
    Im not saying it isnt evil, Im saying know your enemy and take control of your own hardware.  You cant trust anything unless you are willing to learn and KNOW.  If you dont want to, you should buy an i-device :D xoxo 

    1. I don’t know why I bracketed my own sentence like I was quoting someone else in another context.  Just pretend I’m eccentric.

  4. The researcher never shows that the data ever leaves the phone.

    All he does is show the application intercepts the keystrokes, but he never says what is done with them. It could add up the count of each press, saying key ‘A’ was pressed 20 times on Wednesday. The developer of the App admitted it does send out data in chunks, though they didn’t elaborate on the type of data. Setup Wireshark and show that the keystrokes are sent across the wire.

    I’ll need more info before I get too upset with this.

  5. Apparently this isn’t all Android Sprint phones? I recently got the Sprint version of a Samsung Galaxy SII running Android and it doesn’t have either of the applications mentioned in the video.

  6. So this thing sends out data when in airplane mode on the 4g/carrier band. Ok. . . Please explain to me how this is within FCC/FAA regulations on a plane flight requiring no transmissions.  So pretty much everyone with an HTC and Sprint flying around is transmitting while in the air.  I personally think the whole idea of airplane mode is nonsense, nothing in a phone will hurt an aircraft. However, this seems like a simple reason enough to ban all these carrier-approved rootkit spyware sniffers.

  7. Get this crap off your phone and amazing! More battery life.  If it really sends all your stuff twice, imagine the energy savings. If its sending data while in airplane mode, how is this legal for FAA regulations in flight?

  8. On a somewhat unrelated note, did I miss something about a new change to the BB comments section? Why am I now seeing a blue square with a sideways G next to peoples names? Why are some peoples names still hypertext?

    1. that side ways G is a power symbol. Like on your computer’s power button. Its the default avatar/profile picture. The links in people’s names are to whatever website they list in their profiles. 

  9. It doesn’t send, it collects. All that the video shows is that this software hooks into the system for data collection.

    However it will send this data (if requested by the carrier) via Wifi if the 3G is disabled.

  10. Goodness, there are a lot of people here whom I haven’t seen around before saying “Yeah, but Apple’s probably worse, you just don’t know it.”

    1. Actually they appear to be saying “Apple’s probably JUST AS BAD, you just don’t know it”.  A subtle, but important difference.  The point they’re making is that if you use iOS you MUST trust Apple as well as any telco carrier you contract with to be doing what’s in your best interest.  If you use Android and can root the device, you have a choice to reduce the amount of trust you place on any corporation in the chain.

      And “minimal trust in corporations” really should be the assumption, by the way.  You should assume that all corporations are equally as bad as each other.  They all have the same motives (profit above everything else) even if they have different methods of achieving their ends.  If you find out that one telco/tech/whatever company is doing something horrible you should just assume that they’re ALL doing something equally horrible until they prove otherwise.  The burden of proof is on them to be transparent, not on you to just trust them and assume that they’re doing what’s best for you.

      1. I don’t disagree with your point regarding minimal trust in corporations. However the comments here have been “This is why you get an Android phone: even though it comes with invasive software installed and gets lots of viruses, YOU CAN ROOT IT!!!”, the implication being that makes it better.

        Android is eating up the dumbphone market. How many people deciding between a Samsung Bada phone and a Samsung Android phone are going to be rooting it?

        However I very much agree with Frederick: this is a carrier thing more than an Android thing. I’m just wondering how many of the Just-Root-It brigade had a little freak out about Locationgate?

        1. My guess is that if a person is tech-savvy enough to understand the implications of the tracking, they are probably smart enough to root their Android handset. Ever hear of One Click Root? It’s not for every piece of hardware, but it is available on lots of units. BTW, I’ve used Android phones extensively for the last year and a half, and I’ve never had a virus.

          1. You’re most likely right. Does the fact that they don’t understand the implications of the tracking make it okay? I don’t think so. In fact, you pretty much argue against that in your “certain fruity OS” comment above.

            I haven’t had a virus on my Windows machine in years. Since my wife stopped using Outlook Web Services in IE, in fact. Doesn’t mean no one gets viruses. In March, Google had to remove almost two dozen malware-infected apps from their own marketplace.

            But I hadn’t heard of One Click Root. Looks pretty cool. The only one I could find seems to only do Samsungs. Will it do the Viewsonic tablets?

          2. I don’t know if there is one available for Viewsonic tablets; I think it is available for at least some  MotoDroid variants, as well as several Samsung models. There may be others, also. I agree that not knowing whether said spyware is present and active, and not understanding what its implications are, are both bad. The best solution would be (1) to educate people as to why this type of privacy violation is intolerable (tough to do); and (2) to  force the carriers into removing this crap from current and future OS releases (even tougher.) Until the latter happens, it’s time to root.

    2. Wow, ONE PERSON says “Looks like there are some traces of this in iOS as well.” and the Apple Fanbois come out swinging!

      1. Well, it’s not like there’s a history of people who insist that Android is superior to the iOS in every conceivable way and if there’s anything wrong with any Android implementation then it must not be better in iOS, or anything. 

      2. Wow, that’s not what I said at all. Even remotely. If it’s in iOS, then that sucks too.

        I didn’t realize it was in iOS. The story I found says they made the product, but no one knows for sure if it’s in the phone. Packet sniffing suggests that if it is, nothing is sent if you have “Send diagnostic informtion” turned off, which is the default. If anyone has more info, I’d like to know.

        …but I’d appreciate it if you could do it without the childish L33TSP3AK bashing.

        1. You’re right. My apologies. I think I’ve seen too many Gruber references lately.

          But even if the iOS default is to not send the info, you still have a background app logging all that stuff, that they didn’t tell you about until the Android story broke, and then it was just, “Oh, it’s on iOS too, but it’s not a BAD version”.

          BTW, I’m writing this on my Macbook Pro, and have had every model iPhone except the 3gs and now the 4s. I’m not an Apple hater, I just get bothered by… lets just say “apologists who are overly sensitive to any slight against Apple, or Steve, or Apple products”.

          And that’s Gruber, not you.

          Note to self. Cut back on the caffeine, and the computer.

          1. No problem, we’re good. :)

            The logging doesn’t look to me like it’s any more in depth than the kind of stuff you can see in console.app, and it seems reasonable to me it’s collected for diagnostic purposes.

            I still don’t like it being tied in to CarrierIQ, though, since they wrote that software in a way that seems to make INSANE amounts of overreach available with a simple toggle. I’m glad that Apple has announced they will be removing it in favour of their own solution in an upcoming release.

  11. Exactly the same thing is on their iPhones – it’s just that Android’s openness made it easier to discover.

    1. It’s only turned on—not just ‘not transmitting’ but ‘not active at all’—on the iPhone whenever the iPhone is in Diagnostic Mode. Which is to say ‘virtually never’.

      1. If it’s turned on, it doesn’t need to be in “Diagnostic Mode”. Once it generates a diagnostic log (think a crash-dump file) it will fire it off back to Apple.

        Take a look in there if you’re curious. It will let you open a read the files yourself. I’ve examined a couple of them and can’t find anything like a UID let alone actually personal and private information. The only unique information (other than memory offsets for the different processes and threads) I saw in there was something called an Incident Identifier (which I imagine is unique for every crash or event) and a CrashReporter Key which I would guess is used for encryption if you have Report Back To the Mothership turned on.

        1. I turned mine on for a bit to see what it did. There does seem to be a deviceID string that’s consistent between my entries. Aside from that, it tracks call accuracy, time the call started and ended, and what apps were running when the call was on. There is some data in there that seems to characterize call issues. It notes if my phone was locked, had wifi on, and if 3G was available during the call. I’m not sure what else is logged that’s not in the publicly available data, but I wasn’t fussed about anything I could see.

    2. “it’s just that Android’s openness made it easier to discover”

      No consolation when my HTC EVO 4G has had Carrier IQ running for the past 17 months, not only without my knowledge but also with no way to disable it. 

      Please do not suggest rooting and installing a custom ROM as a viable solution: it is a non-starter for most users, especially anyone who values their time. I did in fact spent hours upon hours (with a monetary value of far more than the phone actually cost me) researching how to root, backup, find the best ROM, install the ROM, re-sync my Google account, restore all of my apps and data, restore the visual voicemail functionality, and learn all the differences between HTC Sense and stock Android (down to the terrible default Android Dialer), and when all was said and done the GPS would never work properly with the custom ROM no matter how many fixes I tried, which meant I had to throw out everything I had done and spend another several hours reversing the process. 

      I won’t make that mistake again.

    3. Yeah, except we have an off switch. Oh and the ability to see the diagnostic data that is being sent if we left it on (we can also see diagnostic logs if off as well).

      I have it turned off as a matter of course, but it still generates diagnostic logs if a service crashes. It creates a nice little list of them and a viewer so I can review them myself.

      1. There is still a big difference between having an off switch, and not having it installed at all. I’d prefer to not have it installed. I’m not sure I’m willing to trust that the off switch truly disables all functionality; I have a hard time trusting any company that produces this kind of crappy spyware…

  12. Considering it’s a third party bitt of software installed by the carier bringing Apple or Google into this makes no sense. It’s not a standard part of either iOS or Android. The cariers are at fault here.

  13. When contacted by the Android community, Rogers Canada confirmed that none of their handsets include Carrier IQ.

  14. I just emailed Sprint about my displeasure with this spyware and asked them for an immediate update to remove it. I hope everyone else who is a Sprint customer will do the same. Of course though, a class-action law suit is probably the only way to actually make them notice our discontent. 

    On a side note, they should update the phones to allow us to uninstall the crappy bundled software we never use. I understand why a company would want software bundled, but if I were Blockbuster or one of their other partners, I would beg Sprint to allow uninstalling it too since it only engenders hatred for their company and service (just look at the comments in the Android Marketplace for those apps if you don’t believe me). 

    Carriers need to respect that while the service is theirs, the hardware is ours, even when the purchase is through a subsidized contract. 

Comments are closed.