RSS

Smartphones with Popular Qualcomm Chip Share Private Information

airhangerf151 pts0 comments

Smartphones With Popular Qualcomm Chip Secretly Share Private Information With US Chip-Maker | Nitrokey

You are using an outdated browser. Please upgrade your browser to improve your experience.

EN

DE

FR

Summary

During our security research we found that smart phones with Qualcomm chip secretly send personal data to Qualcomm. This data is sent without user consent, unencrypted, and even when using a Google-free Android distribution. This is possible because of proprietary Qualcomm software which provides hardware support also sends the data. Affected smart phones are Sony Xperia XA2 and likely the Fairphone and many more Android phones which use popular Qualcomm chips.

Introduction

The smartphone is a device we entrust with practically all of our secrets. After all, this is the most ubiquitous device we carry with us 24 hours per day. Both Apple and Android with their App Store and Google Play Store are spying on its paying customers. As a private alternative some tech-savy people install a Google-free version of Android on their ordinary smartphone. As an example we analyzed such setup with a Sony Xperia XA2 and found that this may not protect sufficiently because proprietary vendor software, different from the (open source) operating system, sends private information to the chip maker Qualcomm. This finding also applies to other smartphone with a Qualcomm chip such as the Fairphone.

What is a de-Googled Android phone?

A deGoogled Android phone is one that has been modified to not include any of Google’s proprietary (closed-source) apps or services. This usually involves installing a custom ROM that replaces the standard Android software with an open source Android that doesn’t come with any of Google’s apps. You can either install such an Android yourself or buy a phone that already has this done for you (e.g. NitroPhone).

Google surveillance & tracking tools are everywhere but most of this ‘evil’ is located inside the Google Play Services, which is closed-source. Millions of lines of code that include things like constantly scanning your surroundings for Bluetooth and WiFi devices, using WiFi signal triangulation, then matching the visible WiFi antennas with Google’s database of all geographic locations of all WiFi access points they collect in order to know your precise location at all times. This all works without connecting to the detected WiFi networks and even when your GPS is turned off. This method is similar to how the CIA tracked down Pablo Escobar in the 1990s but is now used on a massive scale to track every citizen around the globe.

Sample of wireless access point geolocation database www.wigle.net

To get rid of the almighty powerful Google and Apple and its 24 hour tracking & surveillance tools one approach is to use a de-Googled Android phone. As a result, your deGoogled phone will not have the Google Play Services and Google Play Store but will instead use an alternative open-source store app that offers the same apps. You can also avoid the use of a store altogether by downloading your apps (with the APK file extension) directly from the software vendor's website. This is just as you would when downloading a program to install on your PC.

Analyzing a DeGoogled Phone

In this test, we decided to try /e/OS, a de-Googled open-source version of Android that is privacy-focused and designed to give you control over your data. /e/OS claims that they do not track you and don't sell your data. Let's find out.

We installed /e/OS on a Sony Xperia XA2 smartphone. After installation, the phone boots into the /e/OS setup wizard. It requested us to turn on GPS location service, but we purposely left it off because we do not need it now.

We also didn't place a SIM-card in the phone either so it could only send and receive data over the WIFI network which we are monitoring with Wireshark. Wireshark is a professional software tool which allows us to monitor and analyze all traffic being sent over the network.

After we provided our WiFi password in the setup wizard, the router assigned our /e/OS de-Googled phone a local IP address and it started generating traffic.

The first DNS requests we see:

[2022-05-12 22:36:34] android.clients.google.com<br>[2022-05-12 22:36:34] connectivity.ecloud.global

Surprisingly, the deGoogled phone's first connection is to google.com. According to Google, the host android.clients.google.com serves the Google Play Store for periodical device registration, location, search for apps and many other functions. This is strange because we have a deGoogled phone without the Google Play Store. Later we found out that this request originates from microG, an open source re-implementation of Google's proprietary core libraries and applications.

Then it connects to connectivity.ecloud.global which, according to /e/OS, replaces Android's Google server connectivity check connectivitycheck.gstatic.com.

Two seconds later the phone started communicating with:

[2022-05-12...

google android phone qualcomm store source

Related Articles

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.