Android backdoor found sending personal information from US users to China
Mobile security firm Kryptowire has discovered a backdoor in several Android smartphones sold in the US. The company says that the firmware collected personal data about users without consent, and sent this private information on to Chinese firm Shanghai Adups Technology Company.
Included in the reams of personal data shared to a third party server were the full text of SMS, call histories, and unique device identifiers. In addition to this, an OTA (over the air) update to firmware allowed for the non-consensual installation of apps, user location tracking and keyword monitoring.
Kryptowire says that the smartphones -- including the BLU R1 HD -- were sold through major retailers such as Best Buy and Amazon. Because monitoring was achieved at a firmware level, it was not picked up by antivirus tools, and multiple levels of encryption were used to disguise the data that was being transmitted.
Writing about the discovery in a press release, Kryptowire says:
In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70 percent across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.
We analyzed the Personally Identifiable Information (PII) collected and transmitted in an encrypted format to servers in Shanghaiincluding one of the bestselling unlocked smartphones sold by major online retailers.
Moreover, some transmitted the body of the user's text messages and call logs to a server in located in Shanghai. All of the data collection and transmission capabilities we identified were supported by two system applications that cannot be disabled by the end user. These system applications have the following package names:
The data collection and transmission capability is spread across different applications and files. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data. The information was transmitted to the following back-end server domains:
- bigdata.adups.com (primary)
All of the above domains resolved to a common IP address: 18.104.22.168 that belongs to the Adups company. During our analysis, bigdata.adups.com was the domain that received the majority of the information whereas rebootv5.adsunflower.com with IP address: 22.214.171.124 was the domain that can issue remote commands with elevated privileges to the mobile devices.
Details of the findings have been shared with Google, Amazon, Adups, and BLU Products, Inc.