an employee of the company Kryptowire bought on vacation smartphone BLU R1 HD and noticed that the device generates a suspicious network traffic. Detailed study of the issue revealed that the device held a connection with Chinese servers (bigdata.adups.com, bigdata.adsunflower.com, bigdata.adfuture.cn and bigdata.advmob.cn), owned by Shanghai Adups Technology Company, better known as Adups.
Soon, the researchers Kryptowire realized that the problem is not limited to one device. Company Shanghai Adups Technology Company develops and sells its own system software updates FOTA (Firmware Over The Air), which is used by many manufacturers of Android devices. At FOTA, in fact, built a backdoor that keeps the connection to the servers of a Chinese company. After receiving a corresponding command from the server, FOTA can:
- every 72 hours to send all SMS messages from the device to the server Adups;
- every 72 hours to send the contents of the call log on the server Adups;
- collect personal data allowing to identify the user, every 24 hours send them to the server Adups;
- collect information about the IMSI and IMEI, geolocation data and a list of installed applications;
- remove or update applications;
- download and install new applications without your knowledge;
- to upgrade the firmware of the device;
- remotely execute arbitrary commands and escalate privileges on the device.
According Kryptowire all malicious functionality is concentrated inside two system apps, disable or delete a user simply can not: com.adups.fota.sysoper and com.adups.fota.
According to information published on the official website Adups, updates FOTA is used by more than 400 mobile operators, manufacturers and so on. The company’s solutions are used by more than 700 million Android devices worldwide. It should say that it is not only about low end Android smartphones (although they are clearly the majority), but also about other gadgets. What companies use the products Adups, unaware of their danger, is not precisely known, but it is known that these include Huawei and ZTE.
Representatives of BLU Products already commented on published by researchers Kryptowire information and said that they did not know about the power of FOTA, and soon will remove a dangerous product from their device. According to the newspaper The New York Times, problem has affected 120, 000 devices, and they have already received the update. the
Huawei Representatives contacted the publication and told ArsTechnica that “the company never entered into a list of trusted suppliers, and we have never fought with her no business.”
members of the Adups said the publication of The New York Times that information was collected not for the Chinese government, just “a private company made a mistake.”