My Octopress Blog

A blogging framework for hackers.

Is Lenovo Spying on Me

So recently I was going through the fs on my Etotalk bought Lenovo P780 when I came across a directory containing some disturbing data…
The directory contained images of faces cut from images received through apps I use (like whats app) as well as images cut from pictures I took with the phone’s camera. My first thought was virus… it wasn’t

The directory is /storage/sdcard0/.SCG/.faceRectImg. A search for this and checking XDA doesn’t give as many hits as I would expect.
Appearently this directory has also been reported to be present on some Samsung devices…

I already had the plan to sniff all data from my phone when on WLAN to get an idea of the amount of data it transmits and the nature of it. This finding made me do this immediately and the result was asounding, or at least it was to me..

I was expecting some apps (google) to send some privacy sensitive data back home to do profile building or whatever but not that most everything was being shipped!

Three domains were receiving at lot of data from my phone while doing nothing at all:

google - duh
lenovo - ok…
qq ?? Some chinese social media thing..?

The most annoying source of unexpected data I found was the Lenovo stock apps. These send almost every everything back home. This varies from switching on the thing to deleting / installing apps, etc

The lenovo owned servers I found are:

susapi.lenovomm.com

A 54.179.189.62
A 54.169.112.65

uefsr.lenovomm.com

A 54.179.163.237
A 54.179.164.86
A 54.254.203.226
A 54.251.131.187
A 54.251.142.220
A 54.251.131.195
A 54.254.137.56
A 54.254.219.49

fsr.lenovomm.com

A 54.254.203.226
A 54.254.137.56
A 54.254.251.194
A 54.251.131.195
A 54.251.131.187
A 54.254.219.49
A 54.251.142.220
A 54.255.137.112

psb.lenovomm.com

A 223.202.19.20
A 223.202.27.20

lds.lenovomm.com

A 54.169.8.71
A 54.169.66.144

grm.lenovomm.com

Lookup failed

sss.lenovomm.com

A 223.202.27.30

api.wrapper.lenovomm.com

Lookup failed

I expect one of the servers with the multiple A records to be the blue hole where MY face images are sent. Another annoying thing about this (besides feeling violated and not knowing the reason for gathering all this info) is that the data they send is not even encrypted!
Makes you wonder how it is stored..

A search for the server names also does not reveal much info, other than some others who found this as well:
autistici - nice decompilation info
Even on the lenovo forum there is a post about this behaviour.
Another one about ideapads (seems lenovo is keeping track of all their devices and users).

A search for Lenovo Spyware gives way more results…
For instance on cnet and here

For now my solution is to modify the android hosts file, adding all the above mentioned servers. This seems to be doing the trick (monitoring for a few days now and I no longer see communication to the lenovo servers). The solution mentioned on autistici.org didn’t work for me so I am still looking for a better methond to block entire domains (or maybe asia entirely for that matter).
I do run a firewall and privilidges configuration app on my phone but both are stock apps by lenovo - doh!

Truly a shame, I was really happy with the phone (battery life!) but this killed it.

To do: further lenovo traffic analysis, mtalk traffic and qq...