It’s not unheard of for sketchy games and apps to steal your data and send it to foreign servers. But it’s another story when your brand-new smartphone is sending this information to China out of the box.
That’s what happened to an unspecified number of Nokia 7 Plus phones in Norway, according to news website NRK (via r/Android). The outlet reported that data sent to China included a user’s location, phone number, and the device’s serial number. It added that this information allowed the recipient to track a phone’s real-time movement.
Data was being sent to a server with a vnet.cn domain, and a domain ownership check revealed the “China Internet Network Information Center” as the point of contact. NRK then contacted the organization and it confirmed that state telecommunications company China Telecom owned the domain.
Oddly enough, the code for the Nokia 7 Plus’s data collection method was reportedly found to be similar to code on Github by Qualcomm. So just what is actually going on here?
Was this purely an accident?
It’s believed that this data collection was intended for Nokia 7 Plus units in China, but it may have accidentally landed on devices outside the country. Furthermore, security researcher Dirk Wetter reported that the culprit could be an APK package named “com.qualcomm.qti.autoregistration.apk.”
HMD Global confirmed the issue with the outlet, saying it affected a “single batch” of phones. The Nokia brand custodian added that a software update was issued at the end of February to fix the problem. The company reportedly declined to answer NRK‘s questions about who owns the Chinese server. HMD was also asked if this practice was required in order to sell Nokia phones in China, but the company refused to comment on the matter.
The Finnish data protection ombudsman has since confirmed that it will be investigating the incident to determine whether there was indeed a violation of GDPR law. We’ve contacted HMD Global and Qualcomm to clarify the matter and will update the article if/when the companies get back to us.