German security company Nitrokey recently published a blog post saying it found an unlisted function on Qualcomm’s Snapdragon chip.
According to TechGoing, this function can collect some mobile phone data and send it directly to Qualcomm servers without the involvement of the Android system
To prove its claim, Nitrokey installed a Google service-free version of Android on a Snapdragon 630-powered Xperia XA2 phone, with no SIM card inserted, and can only connect to the internet via Wi-Fi. Nitrokey used the Wireshark tool to capture data packets and detect that the data will be transmitted to the izatcloud.net server, which is owned by Qualcomm.
This information causes concern in the context that including Android phones and iPhones (using communication modules from Qualcomm), 30% of mobile phones in the world use Qualcomm chips.
This data is sent over the insecure HTTP protocol without any additional encryption and the uniquely identifiable data sent to the Izat Cloud is essentially accessible and readable by anyone.
Qualcomm then replied that the data transmission is subject to the privacy policy of the XTRA service, which allows the company to collect a unique smartphone identifier, chip name, chip serial number, XTRA software version, mobile network and country code, carrier or operating system type/version, device model, list of programs on the device, IP address
