Update, March 22, 2019 (1:50AM): HMD Global has issued a statement to Android Authority after news broke of some Norwegian Nokia 7 Plus models sending data to China.
“We have analyzed the case at hand and have found that our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus. Due to this mistake, these devices were erroneously trying to send device activation data to a third party server,” the Nokia brand licensee said in its statement.
The company insisted that no personally identifiable information was sent to the Chinese server. This assertion comes despite NRK reporting that the information could allow recipients to track a phone’s location in real-time. In any event, HMD Global says this issue was fixed earlier this year.
“This error has already been identified and fixed in February 2019 by switching the client to the right country variant. All affected devices have received this fix and nearly all devices have already installed it,” HMD said. It added that collecting “one-time device activation data” was a standard practice in the industry to activate a phone’s warranty.
Original article, March 21, 2019 (8:35AM): It’s not unheard of for sketchy games and apps to steal your data and send it to foreign servers. But it’s another story when your brand-new smartphone is sending this information to China out of the box.
That’s what happened to an unspecified number of Nokia 7 Plus phones in Norway, according to news website NRK (via r/Android). The outlet reported that data sent to China included a user’s location,
phone sim card number, and the device’s serial number. It added that this information allowed the recipient to track a phone’s real-time movement.
Data was being sent to a server with a vnet.cn domain, and a domain ownership check revealed the “China Internet Network Information Center” as the point of contact. NRK then contacted the organization and it confirmed that state telecommunications company China Telecom owned the domain.
Oddly enough, the code for the Nokia 7 Plus’s data collection method was reportedly found to be similar to code on Github by Qualcomm. So just what is actually going on here?
Was this purely an accident?
It’s believed that this data collection was intended for Nokia 7 Plus units in China, but it may have accidentally landed on devices outside the country. Furthermore, security researcher Dirk Wetter reported that the culprit could be an APK package named “com.qualcomm.qti.autoregistration.apk.”
HMD Global confirmed the issue with the outlet, saying it affected a “single batch” of phones. The Nokia brand custodian added that a software update was issued at the end of February to fix the problem. The company reportedly declined to answer NRK‘s questions about who owns the Chinese server. HMD was also asked if this practice was required in order to sell Nokia phones in China, but the company refused to comment on the matter.
The Finnish data protection ombudsman has since confirmed that it will be investigating the incident to determine whether there was indeed a violation of GDPR law. We’ve contacted HMD Global and Qualcomm to clarify the matter and will update the article if/when the companies get back to us.