Mobile security researchers at Kryptowire recently uncovered spyware preinstalled on hundreds of thousands of Android smartphones by FOTA provider Adups which was gathering personally identifiable information (PII) such as call logs, app usage data, and even the full contents of text messages and sending these to a third-party server—all without the users' knowledge.
The only US phones publicly known to be affected were entry-tier models made by device manufacturer BLU Products. The Florida-based company issued a statement saying that the issue had been resolved following an update by Adups, whom altered the apps responsible (com.adups.fota and com.adups.fota.sysoper) so that they would no longer gather and report any PII.
However, upon reaching out to Kryptowire for more details about the report, we learned that this supposed fix might just be sweeping the larger issue under the rug. We asked Kryptowire if the vulnerability was limited to devices with Adups-related packages preinstalled (com.adups.fota, com.adups.fota.sysoper, etc.) and, if so, would disabling those packages solve the issue.
The vulnerability is not necessarily limited to the Adups-related packages, but we can only confirm seeing it in the two packages mentioned. The exfiltration application logic can be put into any package and performed assuming the app has the permissions to get the user's PII. On the device, those two apps cannot be disabled by the user, unless you "root" the device and just delete them.
Adups has used their remote application (un)installation capabilities to update the com.adups.fota app with one that does not exfiltrate PII on the BLU R1 HD. The old com.adups.fota package that does exfiltrate still exists on the system image. They could use their remote uninstallation capability to remove the new com.adups.fota app (installed on the data partition) and change a few parameters in the server response to begin exfiltration again. This will be the case until they issue a firmware update that replaces the com.adups.fota package on the system image with one that has no capability to exfiltrate PII.
To sum that up, even though Adups has disabled the spyware, the company has the ability to remotely switch it back on at any time in the future. They can also change the name of the packages responsible—or pretty much anything else they want—without anybody knowing. Clearly, this is an abuse of power and a breach of the trust that people give to companies they purchase products from—especially when it comes to products like smartphones, which are practically a requirement for being a part of our modern society.
How can you tell if your device is affected—BLU phone or another manufacturer—and what can you do to protect your private information? Normally, as noted by Kryptowire, you would have to root your device to locate the files and disable them. However, there is a workaround to that—you can just download an app (available on both Windows and macOS) called Debloater and take care of this yourself, no root required.
We've already got a great guide on using the Debloater program (see Steps 1-2 for installing it), but I'll show you below how to use it to find and disable any Adups firmware on your Android phone. For this walkthrough, I'll be using one of the devices known to be affected, the BLU Energy X 2, which we've purposefully not updated.
Once you have the program installed and your device is ready (with "USB debugging" enabled), connect your phone to the computer with a good USB cable and select Read Device Packages in the upper-left corner of the Debloater window.
Debloater will read all of the packages in your device and list them alphabetically.
Conveniently, Adups is right up there at the top of the list. If you see those two packages, your device is one of those affected. If not, congratulations!
Select the two Adups packages (com.adups.fota, com.adups.fota.sysoper) by marking the check box to the left of their names.
Then just hit "Apply" and let Debloater do its magic.
If you select "Read Device Packages" again, it should show that the two Adups packages are now blocked.
And that's all there is to it. The caveat here is that we don't know if these are the only apps responsible for collecting PII, but if they are, this fix should do the trick.
This method does not remove these packages from your device, but it will disable them so they can't communicate back to their servers. If you should ever decide you want to reenable them, just hit up our full Debloater guide to see how that's done.