Third-party telemetry found on Nokia 6.2 & Nokia 7.2 allegedly sending personal data to Columbia

A year ago, HMD Global’s Nokia 7 Plus was caught up in a scandal involving sending unencrypted data to the Chinese government all thanks to Norwegian site NRK, which first reported the matter.

After further investigation, it emerged that the Nokia 7 Plus had been installed with software meant for the Chinese market, but these particular units accidentally found their way to the global market.

A Finnish data protection watchdog went on to confirm this claim, saying that some Nokia phones were indeed sending user data to a Chinese server owned by China Telecom, a state-owned carrier, in an unencrypted format.

It was revealed that turning on the affected Nokia 7 Plus units, unlocking the phone or even turning on the display was enough to trigger sending of data to these servers.

HMD Global acknowledged the data breach and subsequently patched the bug by removing the infringing files from the Nokia 7 Plus and other potentially affected Nokia devices. As I write this, another similar issue has just been raised by omicron-b, a developer on Github.

Apparently, the Nokia 6.2 and Nokia 7.2 have third-party telemetry allegedly sending user data to servers in Columbia. The duo reportedly connects to dapi.hmdglobal.net roughly daily. As it stands, this is a Google Cloud that likely belongs to HMD Global.

Further digging revealed that the two phones have a pre-installed app that connects to the Google Cloud and redirects its data to Colombian servers owned by sitic.com.co, a Colombian company that brands itself as “leaders in innovation and create mobile and WEB applications for new products and services.”

The app responsible for doing this is a system app that has no name in the phones, but it was established as co.sitic.pp. The app is able to make calls, receive SMS, and even access your phone’s internet.

What this essentially means is that someone (probably HMD Global/Nokia) knowingly installed third-party telemetry that can read SMS, make phone calls, and so on yet for some reason they hid it from plain sight.

Even more interesting is that when the co.sitic.pp app is removed from the Nokia 6.2 and Nokia 7.2, requests to send data to Colombian servers subsequently stopped, basically pinpointing the app as the culprit.

For what is worth, this app also sends data to Microsoft Cloud in the U.S., but it still doesn’t justify the data requests from Colombia. The fact that this issue has been around for a while yet HMD/Nokia hasn’t responded says a lot about the company’s approach to protecting user privacy and data.

We hope to hear from the company sooner than later. We will update this story when the response comes in. Stay tuned to PiunikaWeb.

PiunikaWeb started as purely an investigative tech journalism website with main focus on ‘breaking’ or ‘exclusive’ news. In no time, our stories got picked up by the likes of Forbes, Foxnews, Gizmodo, TechCrunch, Engadget, The Verge, Macrumors, and many others. Want to know more about us? Head here.