AiTURE Fidget Spinner App Sends Device Data to Chinese Server
The AiTURE fidget spinner app developed by Chinese firm Shenshen Heaton Technology Co. Ltd. and available in the Google Play Store for devices running Android OS was reportedlyobserved collecting user device data and sending it in plaintext to a server in China without the user’s consent or knowledge. This app is designed to pair a user’s mobile device with the associated AiTURE Bluetooth-enabled fidget spinner and allow the user to control certain functions of the popular toy using the app’s interface. However, a researcher observed that the app was transmitting a large amount of data to a server in China that included information about other apps installed on the device. Although the intent behind this data collection is currently unknown, this incident highlights the risks posed by downloading software and applications developed in countries outside the US and the increasing risks that Android users face when downloading apps from the Google Play Store. The NJCCIC recommends AiTURE app users immediately delete the app from their devices. We also recommend mobile device users exercise caution when downloading any application, paying special attention to permissions the app requests, and consider avoiding apps developed within countries that are known to conduct cyber-espionage against US targets.