Verizon and Sprint using rootkit to collect data from Android phones

Rich Fiscus
16 Nov 2011 9:48

A security researcher has identified a rootkit present on smartphones manufactured for two of the biggest US carriers. Both Verizon and Sprint are selling phones which come preinstalled with CarrierIQ, which is intended to be used for analyzing network and connection problems.
However, as Trevor Eckhart points out, it can be used for much more than that. More importantly, its very existence is hidden from the user, making it difficult to detect and even harder to remove.
So what exactly can CarrierIQ do? According to Eckhart it can gather all kinds of data you may not wish to share with your carrier (via AndroidSecurityTest):

Carrier IQ is able to query any metric from a device. A metric can be a dropped call because of lack of service. The scope of the word metric is very broad though, including device type, such as manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user?s pressing of keys on the device, usage history of the device, including those that characterize a user?s interaction with a device.

Information is sent to the carrier at various points defined by instructions from the carrier. These instructions are called packages. Once sent from the phone, the information can be viewed through an administration portal, which also allows packages of instructions to be sent to specific phones for an immediate report.
Eckhart also provides us with a convenient diagram showing the entire process.

CarrierIQ can be turned off on some devices, but HTC phones in particular apparently don't include this capability. Eckhart explains:

Devices are automatically entered into using Carrier IQ. Samsung android devices have an on off switch, but it is not easily accessible or made known to users that it?s even there. HTC android devices have no such off switch. Even if you purchase a phone on eBay completely off of sprint, use it on wifi only, Sprint will still be enabled to task your device with metrics because of no available off switch and Carrier IQs aggressive reporting nature across multiple protocols.

Making matters worse, Sprint has no privacy or retention policies governing their use of the data. Verizon does have a policy, and gives customers the option to disallow use of the data, but neither company gives you the choice to stop it from being collected.
Eckhart also provides some information for detecting CarrierIQ and accessing its hidden menus using his free Logging TestApp. The app requires a rooted Android device. CarrierIQ may also be found on RIM and Nokia devices, but he only provides Android-related information.
He says it can also be removed, but it will require some advanced knowledge of Android. Alternatively, there is a Pro version of his app ($1 as of this date) which can automate the removal process.