Mobile security researchers at Kryptowire recently uncovered spyware preinstalled on hundreds of thousands of Android smartphones by FOTA provider Adups which was gathering personally identifiable information (PII) such as call logs, app usage data, and even the full contents of text messages and sending these to a third-party server—all without the users' knowledge.
The only US phones publicly known to be affected were entry-tier models made by device manufacturer BLU Products. The Florida-based company issued a statement saying that the issue had been resolved following an update by Adups, whom altered the apps responsible (com.adups.fota and com.adups.fota.sysoper) so that they would no longer gather and report any PII.
However, upon reaching out to Kryptowire for more details about the report, we learned that this supposed fix might just be sweeping the larger issue under the rug. We asked Kryptowire if the vulnerability was limited to devices with Adups-related packages preinstalled (com.adups.fota, com.adups.fota.sysoper, etc.) and, if so, would disabling those packages solve the issue.
The vulnerability is not necessarily limited to the Adups-related packages, but we can only confirm seeing it in the two packages mentioned. The exfiltration application logic can be put into any package and performed assuming the app has the permissions to get the user's PII. On the device, those two apps cannot be disabled by the user, unless you "root" the device and just delete them.
Adups has used their remote application (un)installation capabilities to update the com.adups.fota app with one that does not exfiltrate PII on the BLU R1 HD. The old com.adups.fota package that does exfiltrate still exists on the system image. They could use their remote uninstallation capability to remove the new com.adups.fota app (installed on the data partition) and change a few parameters in the server response to begin exfiltration again. This will be the case until they issue a firmware update that replaces the com.adups.fota package on the system image with one that has no capability to exfiltrate PII.
To sum that up, even though Adups has disabled the spyware, the company has the ability to remotely switch it back on at any time in the future. They can also change the name of the packages responsible—or pretty much anything else they want—without anybody knowing. Clearly, this is an abuse of power and a breach of the trust that people give to companies they purchase products from—especially when it comes to products like smartphones, which are practically a requirement for being a part of our modern society.
How to Test Your Phone for Adups' Spyware
How can you tell if your device is affected—BLU phone or another manufacturer—and what can you do to protect your private information? Normally, as noted by Kryptowire, you would have to root your device to locate the files and disable them. However, there is a workaround to that—you can just download an app (available on both Windows and macOS) called Debloater and take care of this yourself, no root required.
We've already got a great guide on using the Debloater program (see Steps 1-2 for installing it), but I'll show you below how to use it to find and disable any Adups firmware on your Android phone. For this walkthrough, I'll be using one of the devices known to be affected, the BLU Energy X 2, which we've purposefully not updated.
Step 1: See if Your Phone Is Affected
Once you have the program installed and your device is ready (with "USB debugging" enabled), connect your phone to the computer with a good USB cable and select Read Device Packages in the upper-left corner of the Debloater window.
Debloater will read all of the packages in your device and list them alphabetically.
Conveniently, Adups is right up there at the top of the list. If you see those two packages, your device is one of those affected. If not, congratulations!
Step 2: Disable the Adups Spyware
Select the two Adups packages (com.adups.fota, com.adups.fota.sysoper) by marking the check box to the left of their names.
Then just hit "Apply" and let Debloater do its magic.
If you select "Read Device Packages" again, it should show that the two Adups packages are now blocked.
And that's all there is to it. The caveat here is that we don't know if these are the only apps responsible for collecting PII, but if they are, this fix should do the trick.
This method does not remove these packages from your device, but it will disable them so they can't communicate back to their servers. If you should ever decide you want to reenable them, just hit up our full Debloater guide to see how that's done.
Who needs a wand? Unlock your magical powers and transform yourself from a Muggle into a Wizard or Witch just by using your Android phone. See how:
3 Comments
Just joined to say thanks for this article, it fixed my phone. Unfortunately, there was an error on submitting my longer post a moment ago, and life is too short to repeat it (forgot to copy it). Thanks - hoping this will post.
I couldn't get the Debloater thing to work, but isn't it easier just to read the contents of the phone via USB then delete the file from the Android folder? I found the com.adups.fota package (but not the second one) on an old Blu phone I bought a couple of years ago, and just deleted it from that folder.
I'm assuming if you delete it, it's gone for good and you don't need the Debloater app to do it.
My D-GTEK tablets/Slates came with android kitkat pre-installed. Fota & Search both show up as dangerous malware. They cannot be removed from the devices at all.
It is a bother as the system crashes all the time.
On another related subject, my copy of malwarebytes on the laptop was invaded over Easter. I went to check for updates and was directed to a page saying Malwarebytes has changed its name to TotalAV. I accepted this and allowed the NEW LOOK to be downloaded and installed.
I even fell for the super special of buying the full deck (cheap as a than you for updating my malwarebytes)
I installed this on the samsung and iphone hones.
It was checking this slate that I realised Malwarebytes hasnt gone anywhere and thus uninstalled the program and got Malwarebytes back on.
I invoked the cooling off period and hopefully the monies will be returned to the PREPAID credit card.
Cheers.
Now to read and see if there is anyway to remove the infected KITKAT from my tables and put a clean android op system on.Thanks...
Share Your Thoughts