27 November 2016

Data Theft Alert: Android Users In India At Risk, Warn Cyber Security Experts

23 Nov, 2016

Indian cyber security experts have raised the alarm bells after reports emerged suggesting that security firm Kryptowire identified a "backdoor" spyware in Android smartphones in the US which collected sensitive personal data and transmitted it to servers in China.

The devices actively transmitted user and device information including text messages, contact lists, call history with full telephone numbers, and unique device identifiers to third-party servers in China without user-consent, Kryptowire claimed.

Shanghai Adups Technology, the Chinese company behind the spyware – or firmware – however admitted that it planted them in some Android phones "by mistake" but the "text messages, contacts or phone logs" were not shared with anyone else.

One of India's top cyber law experts, Pavan Duggal, explained:

Indian smartphone users are at the same risk as users in the US when it comes to sensitive personal data and information being copied from phones and transmitted to undisclosed locations without their consent or knowledge. This is owing to the security vulnerabilities that exist in the Android system.

Android is a very fertile platform with a large number of contaminants and infections. Hundreds of thousands of infections have been discovered on the Android platform in the last few years.


IT risk assessment and digital security services firm, Lucideus vice-president for training, Rahul Tyagi, had this to say:

Indian users share the same threat as China continues to be a major exporter of smartphones. Given the current market, there are a lot of new phone companies/models being launched every day with advanced features at a low price, most of them being manufactured in China – which may put user-privacy at great risk.

Duggal claims:

If the government comes to know that Chinese smartphones are stealing users’ data from their customers, then it is very apparent that our cyber law is not at all adequate to deal with such challenges. One of the biggest challenges in this regard would deal with the issue of attribution. How would the Indian agencies be able to attribute to the fact that the said misuse has been done from the indicated/suspected source? The issues pertaining to attribution need far more clarity.

Though under the 2008 amendments to the Information Technology Act, 2000, all mobile phones, including smartphones, have been covered within the ambit of the Indian cyber law, the law still does not comprehensively deal with relevant issues in the mobile ecosystem.

The absence of India as a signatory to any international treaty on cybercrime further complicates the intrinsic ability of the immense law and legal frameworks to provide effective remedies against any such contravention.

According to Internet and Mobile Association of India consultant and cyber security expert Rakshit Tandon:

The threat is very real for Indian users and the country lacks a sufficient law framework to tackle the situation. Thus, it is challenging for the Centre/state governments to ward off data stealing from smartphones by third-party software. We need stronger laws to apply enforcement on data stealing via such devices.

Duggal stressed that keeping new-age security needs in mind, steps must be taken to make Indian cyberlaw more effective and redressal mechanisms must be built in for the users who are part of the digital and mobile ecosystem.

No comments: