A bit of fuss was caused recently by a post on Reddit which claimed that Chinese spyware was present on all Samsung smartphones and tablets. The insinuation wasn't that this was due to some security vulnerability, rather that it was by design.
The sensationalist title of the Reddit post aside, its author explained that Samsung has partnered with a Chinese antivirus company of questionable reputation for the storage scanner feature in the Device Care section. When it's run, the feature pulls some data from your device and sends it to Chinese servers. There's more here than meets the eye, though, and Samsung has now set the record straight.
Samsung phones aren't sending your files to China
It's important to understand what this feature is first. Device Care is part of Samsung's custom Android experience and it can't be removed, as such, all of the utilities it offers can't be removed as well. The storage scanner looks for junk files that can be removed to free up space on your device. It's a useful feature as you can often free up several GBs worth of space that was taken up unnecessarily.
The Chinese company that Samsung has teamed up with for storage scanner is called Qihoo 360. Its reputation is far from perfect as it has been involved in several controversies. In 2012, a whistleblower had claimed that the company's 360 Secure Browser had a hidden backdoor. It's also known for complying with the Chinese government's censorship directives and may presumably turn over data to it when asked to do so.
The conclusion drawn was that since storage scanners need access to all files on a device to do what they do and that the one in Device Care was communicating with Chinese servers, it could be sending users' files to China without their knowledge. The redditor conducted packet testing to see which domains his Galaxy S10 was communicating with.
Upon tapping on the option to manually update the database, he noticed that the phone started communicating with Chinese servers. While this did establish that the utility was communicating with Chinese servers, it didn't reveal exactly what was being sent, as the author himself pointed out. In no way did this confirm that a partner that Samsung had allowed access to was abusing that to lift your files.
Clarifying the matter to The Verge, Samsung says that the only data that's sent to Qihoo 360 is non-specific information like the model of your phone, OS version, total storage capacity and other generic data used to optimize storage. Qihoo doesn't get any data that would enable it to locate a particular file on a user's device.
What the Chinese company does is simply provide a reference library of unnecessary/junk files that can be deleted to free up space. That library is also stored on the device itself. Device Care's storage scanner only uses the library to find out which files should be deleted. The deletion process is carried out by Samsung's own software, Qihoo plays no role in that. “The storage optimization process, including the scanning and removal of junk files, is fully managed by Samsung’s device care solution,” a Samsung representative confirmed.
Instead of diverting its own resources to maintain a library of junk files that its storage scanner could use, Samsung has simply outsourced that job to Qihoo. The Chinese company's role in this doesn't extend beyond that. It's understandable that the words China and spyware in a sentence are enough to cause suspicion but Samsung deserves the benefit of the doubt. You can't expect a company with the size and experience that Samsung has to make a rookie mistake.