For millions of people buying inexpensive smartphones in developing countries where privacy protections are usually low, the convenience of on-the-go internet access could come with a hidden cost: preloaded apps that harvest users’ data without their knowledge.
One such app, included on thousands of Chinese-made Singtech P10 smartphones sold in Myanmar and Cambodia, sends the owner’s location and unique-device details to a mobile-advertising firm in Taiwan called General Mobile Corp., or GMobi. The app also has appeared on smartphones sold in Brazil and those made by manufacturers based in China and India, security researchers say.
Taipei-based GMobi, with a subsidiary in Shanghai, says it uses the data to show targeted ads on the devices. It also sometimes shares the data with device makers to help them learn more about their customers.
Smartphone makers get an additional benefit, said Chief Executive Paul Wu: By allowing GMobi to install its app on their devices, they are able to send devices updates for software known as “firmware” at no cost to them. That is an important consideration for device makers pushing low-cost phones across emerging markets.
“If end users want a free internet service, he or she needs to suffer a little for better targeting ads,” said a GMobi spokeswoman.
The trade-off between preserving privacy and sharing user data that fuels the business of many online services has emerged as a debate in the West.
has come under fire for not doing enough to protect user data. New legislation gives Californians the right to prohibit the sale of their personal data, while the European Union’s General Data Protection Regulation offers some of the world’s most stringent data-privacy protections.
In emerging economies, however, there are few if any privacy protections, and many people eager to get online may not realize the devices they are using are transferring huge swaths of data about them, often through obscure partnerships.
Thi Thi Moe, a sales clerk in Mandalay, Myanmar, said she was unaware until being informed by The Wall Street Journal that GMobi was collecting data from her Singtech P10 phone. She said she had become annoyed in recent months at frequent advertisements on its screen for mobile games.
“I don’t want that kind of app on my phone,” said the 28-year-old, who added that she bought her phone last year for $77. “I’m not familiar with the technology, but it seems like it shouldn’t be taking my private information.”
GMobi is one of several entities using the combination of low-cost smartphones and low regulations to siphon off reams of user data. Shanghai-based Adups and Indian digital advertising firm MoMagic offer similar firmware-updating services in partnership with smartphone makers.
“They are exploiting developing economies and individuals who can’t afford better devices and clearly tracking them,” said Marc Groman, who until last year served as White House Office of Management and Budget senior privacy adviser and now works as an independent consultant in Washington, D.C.
“In the EU and the U.S. this would not be lawful,” he said, based on how GMobi described its actions and researchers’ findings.
Upstream Systems, a London-based mobile commerce and security firm that uncovered the GMobi app’s activity and shared it exclusively with the Journal, says it bought four new devices that, once activated, began sending data to GMobi via its firmware-updating app. This included 15-digit International Mobile Equipment Identification, or IMEI, numbers, along with unique codes called MAC addresses that are assigned to each piece of hardware that connects to the web. The app also sends some location data to GMobi’s servers located in Singapore, Upstream says.
Upstream also said that in recent months it blocked GMobi’s app from making suspicious attempts to sign up users for paid services, such as mobile games. Had the app been successful, users would have been billed more than $7 million in total across eight countries, Upstream said. GMobi’s Mr. Wu said the company wasn’t responsible for any malicious activity emanating from its app.
Many popular smartphone apps collect user data such as contacts and even locations, but users typically install such apps, actively consent to the data collection and can delete the apps at any time. GMobi’s software comes pre-installed on new smartphones out of the box, and it can only be removed by taking elaborate technical steps.
GMobi provides firmware-update and other services to more than 100 smartphone makers churning out 2,000 different models of phones, with more than 150 million users globally.
The company declined to say which smartphone makers it now works with, citing nondisclosure agreements. China’s Huawei Technologies Co. and Xiaomi Corp., and Miami-based BLU Products are among the dozens of device makers listed on GMobi’s website.
A Huawei spokesman said the company has never worked with GMobi. A spokeswoman for Xiaomi, which after one of 2018’s largest IPOs will begin trading in Hong Kong on July 9, said the company doesn’t work with GMobi and has never done so. A BLU spokeswoman said the company had “exploratory discussions” with GMobi several years ago but doesn’t work with the company.
However, BLU, which makes smartphones for the U.S. and Latin American markets, was found in 2016 to be using GMobi rival Adups’s firmware services on smartphones sold in the U.S. Security firm Kryptowire reported at the time that the devices were sending user details to China, which BLU said had been done in error.
The BLU spokeswoman said the company no longer works with Adups. Shanghai-based Adups didn’t respond to queries about the firms with which it works.
Andy Ng, product director at Singapore-based Singtech, said his company stopped using GMobi’s services last year, though he said approximately 1 million of his company’s devices containing the app likely remain on the market in Myanmar and Cambodia.
“I wouldn’t have cooperated” with GMobi had Singtech known user data was being collected, he said. “It’s malware.”
But Shenzhen Hotwav Science and Technology Co., Ltd., a China-based company that makes Singtech’s devices, said all apps were installed at the smartphone maker’s request.
GMobi’s app is labeled as malware by several online antivirus scanning services. Malware is a term for malicious software or software that surreptitiously collects user data, though it is often also applied to software seen merely as a nuisance. GMobi CEO Mr. Wu said the app doesn’t constitute malware.
GMobi said users are asked to consent to data collection by clicking an end-user license agreement when they first activate their phones. Upstream found, however, that in some cases data is sent to GMobi servers in Singapore even without users’ consent. Mr. Wu said “for the most part” phone software updates via the app require agreements be accepted to work, but added that the software can also function in case the devices become inoperable and users cannot click on the agreements. He said the company doesn’t violate any data-collection laws.
Indian digital advertising firm MoMagic, which lists handset partners such as Xiaomi, Micromax, Intex and Japan’s
, offers a firmware-updating service similar to GMobi’s. A Xiaomi spokesman said the company doesn’t now work with MoMagic. Micromax declined to comment.
An Intex spokesman said MoMagic provides the company with the firmware-updating service but doesn’t collect user details for advertising purposes. Sony and Panasonic didn’t immediately respond to requests for comment on any partnership with MoMagic.
MoMagic Chief Executive Arun Gupta declined to say which services the company provides to specific makers, but said his company focuses on India and Bangladesh.
“We all know the law so far in India and Bangladesh is weak,” he said of private data collection regulations. “Whatever we collect is following the law of the land.”
—Josh Chin in Beijing, Myo Myo in Yangon, Myanmar, and Kersten Zhang in Beijing contributed to this article.
Write to Newley Purnell at firstname.lastname@example.org