Short Bytes: Kryptowire has found a secret backdoor in budget Android smartphones. They took the BLU R1 HD for testing and concluded that device has a firmware created by Shanghai AdUps Technology Co. Ltd which is being used to send device data and identifiable user information servers in China.
A security research firm Kryptowire has disclosed that a pre-installed backdoor in the firmware of various Android smartphones is being used to secretly send device data to servers present in China.
The alleged secret backdoor has been found in budget smartphones. Kryptonite was able to find the vulnerability in the BLU R1 HD smartphone sold in the United States via online portals like Amazon, Bestbuy, etc.
It has come to light that Shanghai AdUps Technology Co. Ltd, a China-based FOTA (Firmware Over The Air) provider, has designed the firmware. The company sells its software to leading companies – including ZTE and Huawei – covering 700 million devices across over 150 countries.
According to American authorities, it’s unclear whether the data sniffing is being done to fuel advertisement market or it’s a surveillance effort by the government of China.
The security researchers say that the backdoor is used to feed data – to servers located in Shanghai, China – like complete text messages, call logs, contacts, IMEI, usage pattern, device specifications, etc. They note that the AdUps backdoor also allows its operator to remotely install applications on the device and pinpoint a specific user by matching remotely defined keywords.
“The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested,” the researchers wrote.
All of the data is tightly encrypted before being sent to the desired servers. The AdUps firmware even manages to bypass the antivirus installed on the device because it is a system application and the antivirus doesn’t consider it as a malware.
The data transmission occurs every 72 hours (for texts, call logs) and every 24 hours (for PII – Personally Identifiable Information). It is not possible for the device owner to disable it.
Kryptowire has detected two system application package names related to the backdoor:
- com.adups.fota.sysoper
- com.adups.fota
The collected data gets transmitted to the following domains:
- bigdata.adups.com
- bigdata.adsunflower.com
- bigdata.adfuture.cn
- bigdata.advmob.cn
The research analysis concluded that the domain bigdata.adups.com was used to receive most of the data and all the above domains resolve to a common IP address – 221.228.214.101. Also, the domain rebootv5.adsunflower.com (IP address: 61.160.47.15) can be used to remotely execute commands on mobile devices with elevated privileges.
Kryptowire is a mobile security company backed by various security organizations in the US. The company has reported its findings to Google, Amazon, AdUps, and BLU.
BLU Products, whose smartphone was used for testing, said that around 120,000 devices manufactured by the company have been affected. They have updated the software to eliminate the feature.
According to AdUps, this software version – mistaken as a bug – was actually designed to help a Chinese device maker in monitoring user behavior. It wasn’t made for American smartphones.
Update: In response to the news, ZTE USA issued a statement to us in an email.
“We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.”
Read the official blog post to know more the data sniffing firmware.
If you have something to add, tell us in the comments below.
Also Read: China Threatens To Destroy Apple And US Auto Sales, Donald Trump Is The Reason
