This article is more than 1 year old
So, EE. Who IS this app on your HTC M9s sneakily texting, hmm?
HTC, EE and infosec bod all agree: We have no idea
Pre-installed security app? Highly dodgy, me lad
Even if it's legitimate the software raises privacy issues, according to Corrons.
"EE has a lot of explanations to give," he explained. "As a starter that app is pre-installed without informing their customers. That app is gathering personal information, with no warning. In a hidden way. Sending it via SMS, which the owner of the phone has to pay for. To a foreign country. To an undisclosed company. In some countries in the European Union doing this would be illegal."
EE was keen to rebuff the privacy accusations. A spokesman told us: "It’s simply not correct to say that customers are not informed, it’s explained in the contract people sign. Similarly, it’s incorrect to say that the app is gathering personal data, as I mentioned before. I’ll double-check on the SMS but I’m 99 per cent certain the customer doesn’t have to pay for it."
In an earlier phone conversation, the same EE spokesman said the app sent anonymised info – such as IMEI and IP address – which EE knows anyway.
Customers remain concerned, in part, because of previous cases where brand new smartphones sold to customers turned out to have been infected with malware. For example, phones distributed by Vodafone in Spain came with a Mariposa variant as a freebie. EE's reported use of a Computrace agent on Note 4 tablets prompted spookily similar complaints in some quarters.
More complaints about the somewhat controversial Computrace agent can be found here.
EE confirmed it had a business relationship with Absolute Software, a vendor of “persistent endpoint security and management solutions.” El Reg approached Absolute Software for comment but the firm declined, citing customer confidentiality.
Scott said that EE's social media team belatedly told him that the software was an anti-fraud measure.
"When I asked some follow up questions about it they stopped responding," according to Scott, who said that tech support people at EE are telling him the app remains something of a mystery.
"They were very confused by the messages and repeatedly told me that they had never come across this before. It for escalated up a few levels and then I got passed over to HTC who also told me they had no idea what it was. The case then got passed to an internal team to look into it, who responded by saying that they had no idea what it was. That it was probably some sort of spam thing, they didn't think that it was dangerous but couldn't say why they thought that," he said.
Corrons concluded that the issue was tied to EE. "When I Googled the phone number the SMS was being sent to, I found a few cases involving different mobile vendors, such as Samsung, so we can say it is clear that it is not related to HTC," he explained. "There was one thing all those cases I found had in common: devices were bought from EE."
"There are only two possible explanations: either it is the behaviour of one app they install, and they are not aware of that behaviour, or someone is installing a malicious program without EE's knowledge."
Scott added: "There is a hell of a lot of crapware on this handset, much more than I've had in recent years, including some sort of advertising widget on one of my home screens." ®