ET phone home? Maybe if home is somewhere in China.. Android again has another problem..

Security researchers have uncovered a secret backdoor in Android phones that sends almost all personally identifiable information to servers based in China.

The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide, including phones available in the United States.

Adups says that the firmware provides companies with data for customer support, but an analysis by Kryptowire revealed that the software sends the full bodies of text messages, contact lists, call history with full telephone numbers, and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Station Equipment Identity.

Or, in other words, everything that you would need to keep someone under surveillance.

Although Shanghai Adups is not affiliated with the Chinese government, the discovery of the firmware is being taken very seriously by US government officials: not least because the firmware does not disclose what it is doing and the firmware – spyware – comes pre-installed on new phones.

On its website, Adups says its firmware is used by 400 mobile operators, semiconductor vendors, and device manufacturers, covering everything from smartphones to wearables to cars and televisions.

The company has admitted that the specific software under examination was written following a request by a Chinese manufacturer, but has refused to name the company.

Open source is great ! Android is the cat's meow !! We all know China IS our friend !!

-- source(s) multiple, tech crunch, Verge, UK Register, etc..


According to Kryptowire, data transmission of text messages and call logs takes place every 72 hours, and all other personally identifiable information is sent every 24 hours.

The data is sent to four servers:

bigdata.adups.com
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn
They all resolve to the same IP address – 221.228.214.101 – which belongs to Adups.

Further adding to suspicions, communication between phones and the servers included two elements that allow the data sent to be connected to a specific phone number. In other words, rather than simply collecting data and aggregating it – something a lot of companies do (but disclose), the Adups software purposefully makes it possible to identify and track specific phones.

In some respects, the Adups software is even more intrusive than the infamous Carrier IQ spyware, which was revealed in 2011 to be key-logging and transmitting data secretly. That discovery sparked an outcry.

from the security firm that identified this spyware:


Kryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent.

devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD.

These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).

The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.

article source link - http://www.kryptowire.com/adups_security_analysis.html

Kryptowire has communicated its findings with respect to the affected devices with Google, Amazon, Adups, and BLU Products, Inc.

Manufacturers that believe their devices may be affected can contact oem@kryptowire.com for additional information.

Consumers that believe their devices may be affected can refer to the manufacturer warranty or retailer terms of purchase for more information.

--- see the link for more background on this pre-installed spyware - http://www.kryptowire.com/adups_security_analysis.html

Hacker News takes it quite seriously - http://thehackernews.com/2016/11/hacking-android-smartphone.html

Moreover, it is worth noting that AdUps provides its (spyware) software to much larger handset manufacturers, such as ZTE and Huawei, which sell their Android phones worldwide, across over 150 countries and regions.

The secret backdoor is said to be there intentionally and not accidentally or due to a security flaw, although, according to the US authorities, at the moment it is unclear whether the data is being collected for advertising purposes or government surveillance.

Based on the received commands, the security firm found the software executing multiple operations, detailed below:

Collect and Send SMS texts to AdUps' server every 72 hours.
Collect and Send call logs to AdUps' server every 72 hours.
Collect and Send user personally identifiable information (PII) to AdUps' server every 24 hours.
Collect and Send the smartphone's IMSI and IMEI identifiers.
Collect and Send geolocation information.
Collect and Send a list of apps installed on the user's device.
Download and Install apps without the user's consent or knowledge.
Update or Remove apps.
Update the phone's firmware and Re-program the device.
Execute remote commands with elevated privileges on the user's device.


No, Users Can't Disable or Remove the Backdoor - feeling warm and fuzzy yet?

The backdoor has been discovered in two system applications – com.adups.fota.sysoper and com.adups.fota – neither of which can be disabled or removed by the user.


Google also issued a statement saying that the company is working with all affected parties to patch the issue, though the tech giant said that it doesn't know how widely AdUps distributed its software.