Chinese hardware maker AYANEO has been accused of spying on its users.
A user on Mr. Sujano’s GitHub flagged the potential issue, reporting that they had discovered the AYAWindow app on their Pocket DS Android handheld was taking screenshots "every single time" an action is carried out on the device.
The user, ghostmanslow, adds:
"There's over 1200 screenshots in there of me performing various actions/playing different games, and it updates in real time (for example: if I open an old screenshot, a screenshot of that screenshot becomes the newest screenshot) which I find really troubling.
In addition, the AYAWindow app has transmitted 12.5GB of data off of my devices since November 17th. I encourage everyone with a rooted Ayaneo device to go poking around in that directory and check how much data your AYAWindow app has transmitted."
Retro Handhelds, which has reported on the issue, has done some research and found that, out of AYANEO's Android-based devices, only the Pocket DS currently seems to be behaving this way. It's running v1.5.99 of the AYAWindow application, while other AYANEO devices are running older versions and aren't capturing screenshots.
Furthermore, Retro Handhelds installed PCAPdroid app to see if those screenshots were being sent anywhere, and discovered they were being sent to a domain called 'android.bugly.qq.com' – which was later found to be "Tencent’s Bugly service, a tool designed for Android developers to track app crashes, exceptions, and operational data."
Collecting data in this way to aid developers and create crash fixes isn't unusual, but, as Retro Handhelds rightly points out, there's no disclaimer from AYANEO covering this behaviour. Such activity should always be brought to the end user's attention so they can opt in or out, even if it's being used for perfectly legitimate purposes.
An AYANEO representative has responded to the person who flagged the issue initially, pointing out that this is normal behaviour for the system's dual-screen task manager, but a bug is preventing the cache from being cleared:
"DS has a dual-screen task manager feature that needs to render app thumbnails from the system. This is normal behavior. However, there's a bug - the cache isn't being cleaned up, causing screenshots to accumulate. Our team has identified this issue and will push a fix soon."
As for the privacy concerns, the representative adds:
"These images are small and stored in the app sandbox, posing no security risk.
AYA does NOT upload any of this data.
About the data traffic: Android calculates traffic by Linux UID. AYAWindow uses the system UID (android.uid.system), so all traffic from apps sharing this UID gets counted together. You can check other apps with the same UID (like "Phone" in Settings) - they'll show similar traffic. This is actually total device usage, not just AYAWindow."