Chip giant Qualcomm reported to secretly collect, transmit user data: report

Smartphones with Qualcomm chips were found to send private user information, including IP address, unique ID, mobile country code, back to the U.S. chipmaker, according to a report by the German security company Nitrokey first released on April 25.

Such personal information was sent "without user consent, unencrypted, and even when using a Google-free Android distribution," said the report.

Nitrokey tested with a Sony Xperia XA2 smartphone which was equipped with a Qualcomm Snapdragon 630 chip and installed /e/OS, an open-source version of Android free of Google services.

No SIM-card was inserted in the phone, nor was the GPS location service turned on. The device can only access the internet through WiFi.

The company monitored the data with Wireshark, a network traffic software, and found that the data will be transmitted to izatcloud.net server, which attributes to Qualcomm.

The report said the data packages were "sent via the HTTP protocol and are not encrypted using HTTPS, SSL or TLS," making them vulnerable to attacks as anyone accessible to the network "can easily spy on us by collecting this data, store them, and establish a record history using the phone's unique ID and serial number Qualcomm is sending over to their mysteriously called Izat Cloud."

It added that the data sharing with Qualcomm is not mentioned in the terms of service from Sony or Android or /e/OS, which violated the General Data Protection Regulation.

While a Sony smartphone was used, Nitrokey said "many more Android phones" with popular Qualcomm chips such as Fairphone are likely to be affected.