German security company Nitrokey recently published a blog post, stating that it found an undocumented function in Qualcomm Snapdragon, which collects some mobile phone data and sends it directly to Qualcomm servers without the participation of the Android system.
Nitrokey installed a version of Android without Google services on a Sony Xperia XA2 phone equipped with a Qualcomm Snapdragon 630 chip, without a SIM card inserted, and can only be connected to the Internet through Wi-Fi.
Nitrokey used the Wireshark tool to capture packets and found that the data will be transmitted to the izatcloud.net server, which belongs to Qualcomm.
Including Android phones and iPhones (using Qualcomm’s communication modules), 30% of the world’s mobile phones use Qualcomm chips.
This data is sent over the insecure HTTP protocol without any additional encryption, and the uniquely identifying data sent to Izat Cloud is basically accessible and readable by anyone.
Qualcomm then responded that the data transfer was in accordance with the privacy policy of the XTRA service, which in effect allowed the company to collect the unique smartphone identifier, chipset name, chipset serial number, XTRA software version, mobile country code and mobile network code, carrier Or the type and version of the operating system, the make and model of the device, a list of programs on the device, IP address and other data.
Nitrokey concluded in the blog post that not only does Qualcomm’s custom AMSS firmware take precedence over any operating system, but thanks to the use of the HTTP protocol, a unique device signature can be created from the collected data, all of which can be accessed by third parties.