Chinese smartphone brand OnePlus is yet again found transmitting users personal data to a Chinese server. In the latest OxygenOS Beta update, an application named Clipboard is preinstalled on OnePlus devices, which is now said to transmit users personal data to a Chinese server owned by Teddy Mobile. For the unaware, Teddy Mobile is a service in China which helps in identifying unknown caller identities, same as Truecaller, but for the Chinese market.
This information is found by Security researcher Elliot Alderson? and he posted the same on microblogging portal Twitter. Analysing Anderson' series of Tweets, here's what we found out. Whenever a user copies any text, the Clipboard examines the data and differentiates what user exactly copies. For example, the Clipboard searches for data such as bank number, email ID, address, etc.
If it matches the string with the data copied by the user, the Clipboard application will fetch data such as mobile IMEI number, phone number, network details, IP address, device ID, and such. And in the final step, it copies the text and sends it to the Chinese server hosted by Teddy Mobile.
The issue here is pretty straightforward. If you copy your bank account details, the data will be sent to the Chinese servers in Teddy Mobile. For the unaware, the same researcher Anderson found out an issue on the Clipboard application sending data to Alibaba servers, but OnePlus claimed that the app was only meant to its Chinese users and it was accidentally added in the Global Beta ROM.
At the moment, it's unknown whether this is intentional from OnePlus or is it an accidental one, but the researcher is pretty sure that the data is being sent to Chinese servers. Nevertheless, we reached out to OnePlus on the same and will update this post once we get any information from the company.
Also, this Clipboard application is currently present in the latest OxygenOS Beta update and is yet to make its way to the stable ROM. Chances are that only a few people with OxygenOS Open Beta ROM will be affected at the moment, but like I said, the intensity of the issue is unknown.
