Kryptowire, a company specializing in mobile security solutions, released a report on Tuesday, November 15 that exposed firmware in a number of Android devices that was collecting personally identifying information (PII) and uploading it to third-party servers without users' knowledge.
Unlike malware you might accidentally download on the internet, this software comes preinstalled on a number of entry-tier smartphones.
Shanghai Adups Technology Co., a Chinese provider of professional FOTA (firmware over-the-air) update services to OEMs, mobile network operators, and semiconductor vendors around the world, was said to have created the PII-stealing code at the request of an unknown Chinese client. Adups has since apologized, stating that this data was collected in error and was deleted.
According to the report, Kryptowire was able to identify specific files being uploaded to servers belonging to the Adups company "every 72 hours for text messages and call log information, and every 24 hours for other PII data," via two system apps, com.adups.fota.sysoper and com.adups.fota, which cannot be disabled by the user. An example of the sort of information being transmitted was provided:
It is worth noting that [the] user's text messages are encrypted using DES. Below is an example entry of the dc_msg_key.json file:
"dc_date": "2016-09-13 17:01:07",
During our analysis we identified the necessary key to encrypt and decrypt these messages. The aforementioned entry in plaintext is: "Be there in 5".
The spyware-laced BLU models are:
- R1 HD
- Energy X Plus 2
- Studio Touch
- Advance 4.0 L2
- Neo XL
- Energy Diamond
For their part, Amazon has made any affected product unavailable for purchase. BLU has issued the following statement:
BLU Products has identified and quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices.
Our customer's privacy and security are of the [utmost] importance and priority.
The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.
If we discover any other Android phones that are/were affected by Adups' spyware, we'll make sure to add them to this list. So far, aside from Huawei and ZTE, Google and LG have also stated that their branded devices do not carry Adups' firmware. OnePlus and HTC are still investigating.
If you have a BLU device and want to see if your device is currently vulnerable to this spyware, you can go to Settings -> Apps, then select the three-dot menu in the right corner. Next, select "Show system," then scroll down and open "Wireless Update." Devices with version numbers 5.0.x through 5.3.x are affected. Those listing version number 126.96.36.199.004 are not. If yours has not been self-updated yet, you can contact BLU for further details.
If you have another brand Android phone and want to see if you're vulnerable, make sure to check out the guide below, which will show you how to test for Adups' spyware, as well as how to disable it.
We have reached out for more details from Kryptowire and will update this post when we receive any new information.