Secret key-logging software found on millions of phones

Millions of Android, Nokia and BlackBerry phones are secretly tracking their users, according to an Android developer.

Trevor Eckhart says he’s uncovered a piece of spyware that monitors the phone’s location even when location services are disabled, and which logs every keystroke. It ignores the ‘Force stop’ button and ins nearly impossible to remove, he says.

The software – which Eckhart describes as a rootkit, because of the way it’s so hidden – comes from Carrier IQ, which initially threatened legal action against Eckhart, although it backed down when the Electronic Frontier Foundation intervened.

Eckhart’s posted a video on YouTube showing the software on his own phone, recording keystrokes, search queries, texts and locations.

“The Carrier IQ application is receiving not only HTTP strings directly from browser, but also HTTPs strings,” he says.

“HTTPs data is the only thing protecting much of the ‘secure’ internet. Queries of what you search, HTTPs plain text login strings (yuck, but yes), even exact details of objects on page are shown in the JS/CSS/GIF files above – and can be seen going into the Carrier IQ application.”

Carrier IQ says its software is designed only to help carriers improve their network performance.

“While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools. The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools,” it says in a statement.

“The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to third parties. The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.”

Verizon’s issued a statement explaining how its users can opt out, here.

“The company claims the software is designed to help mobile phone carriers to improve their service quality by measuring where calls drop, what applications are causing performance issues and which handsets may have problems on their networks,” says Chester Wisniewski of Sophos.

“This may be true, but the inability to opt-out or remove the software without informing the user is extremely concerning. Combine that with all of the sensitive information the software is designed to intercept and it raises far more questions about how this software is being used.”