Is Chinese spyware running on Samsung phones? In a startling post this week, a Reddit user who ran an analysis on a self-owned Galaxy S10+ claimed that the handset was found to be communicating with servers in China.

Smartphones from the Galaxy S10 series displayed during the Samsung Unpacked event on February 20, 2019 in San Francisco. (Picture: Justin Sullivan/AFP)

Samsung’s Device Care storage tool is operated in partnership with China’s biggest cybersecurity firm, Qihoo 360. When some users found out last year, Samsung responded by saying the tool “does not transfer any personal information” off a handset to optimize storage. But that wasn’t enough to assuage concerns.

Part of the concern stems from Qihoo once being accused of helping Chinese authorities set up the Great Firewall to censor China’s internet -- allegations that the CEO denied. Some still think Qihoo, being a China-based company, might be required to share any data it collects with government authorities.

The app is meant to be an optimization tool that scans Samsung phones to find out which apps are draining the battery or what files are taking up the most storage space. Since it’s a system app, it’s not easy to get rid of, either. It’s built into the phone’s operating system, so it would require using an Android developer tool on a computer or having a rooted device to remove.

It’s also not clear what data might be transferred when communicating with Qihoo servers. A Samsung representative told us that the storage tool uses a junk file database maintained by Qihoo. The company reiterated that no personal information is transferred outside of a user’s phone. The scanning and removal of junk files are done solely by Device Care on the phone itself.

Joe Chau, managing editor of the Hong Kong-based cybersecurity news platform wepro180, said it’s understandable that Samsung and other Android phones have to communicate with various servers to receive updates. But he also said it’s very difficult for ordinary users to determine what files or data their phones have shared with outside servers. It’s up to the companies to determine how transparent they want to be about that. 

“You’ll have to trust Qihoo and Samsung [about] what information they are collecting,” he told us. “This is a matter of trust and preconceived notions. If you install a different security scanner, it’ll probably do something similar. Even Google Maps sends a lot of your information back to Google.”