This article is more than 1 year old
So, EE. Who IS this app on your HTC M9s sneakily texting, hmm?
HTC, EE and infosec bod all agree: We have no idea
EE has assured a customer that a pre-installed app found on new HTC M9 from the mobile operator is simply anti-fraud software.
However, both customer Barney Scott and an independent security expert remain unconvinced by this explanation, arguing that even if the app isn't malicious, it's at best badly designed and unwanted.
Scott came across the issue after noticing that pre-installed software on his new EE HTC M9 was calling home via text message.
"This is the second phone displaying this behaviour that I've received from EE after I sent the first back," Scott told El Reg. After failing to get a prompt response after raising the issue on Twitter, Scott contacted El Reg.
Scott is far from the only person to raise the problem, which has become the topic of a discussion thread on Reddit.
Some Reddit commenters said the handset phoned home to a Chinese number, although the area code is American.
"Why would a UK company be texting abroad for an internal service? Also they own the network & SIM, surely that would be part of the activation process rather than the rather more crude version of having the phone text them presumably with some unique hardware ID & other identifiable information," Scott told El Reg.
Keep calm, everything's excellent
Asked to comment on these concerns, an EE spokesman said that the software was a fraud prevention measure that helps to disable a handset in cases where phones are either lost or stolen.
Reddit commenters had expressed concerns that the phone number being contacted was in China, a concern EE dismissed as erroneous.
"We work with an American company as part of the anti-fraud software – in two of the Reddit threads someone points out that it’s a US number, rather than Chinese," a spokesman told El Reg.
Luis Corrons, technical director of PandaLabs and an expert in mobile malware, is disinclined to take the official line at face value.
"They say this is from a pre-installed anti-fraud software… if this is the case they have installed a really crappy app, whatever it is," Corrons told El Reg. "There are tons of anti-fraud tools, and sending a SMS to send out information is really odd. We are talking about smartphones that have Internet connection, why would anyone create an app that sends information to a foreign country via SMS?"
"It’s much easier to send it using the internet, and there you do not have any limit, so you can send more information if needed," he added.