A mobile security firm recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages.
Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other Android data to a Chinese server. The code comes preinstalled on Android phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based Virginia, United States. Kryptowire is a US Homeland Security contractor.
The Chinese company that is responsible for the creation of the software, Shanghai Adups Technology Company, says its code runs on more than 700 million Android phones, cars and other smart devices. It claims a market share of over 70% across 150 countries. One American phone manufacturer, BLU Products, said that 120,000 of its Android phones had been affected and that it had updated the software to eliminate the feature. Adups also provides its software to ZTE and Huawei (Update: Huawei statement below).
According to TheHackerNews, AdUps spyware does the following without the user’s permission:
- Collect and Send SMS texts to AdUps’ server every 72 hours.
- Collect and Send call logs to AdUps’ server every 72 hours.
- Collect and Send user personally identifiable information (PII) to AdUps’ server every 24 hours.
- Collect and Send the smartphone’s IMSI and IMEI identifiers.
- Collect and Send geolocation information.
- Collect and Send a list of apps installed on the user’s device.
- Download and Install apps without the user’s consent or knowledge.
- Update or Remove apps.
- Update the phone’s firmware and Re-program the device.
- Execute remote commands with elevated privileges on the user’s device.
The backdoor has been discovered in two system applications – com.adups.fota.sysoper and com.adups.fota – neither of which can be disabled or removed by the user.
Security experts frequently discover vulnerabilities in consumer electronics, but this case is exceptional, reports The New York Times. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior, according to a document that Adups provided to explain the problem to BLU executives. That version of the software was not intended for American phones, the company said.
Besides BLU Products, Kryptowire said it has notified Google, AdUps, as well as Amazon, which is the exclusive retailer of the BLU R1 HD, of its findings.
Google issued a statement saying that the company is working with all affected parties to patch the issue, though the tech giant said that it doesn’t know how widely AdUps distributed its software.
[Update, 18 Nov:] Huawei told MalaysianWireless “The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them,” referring to the Shanghai Adups Technology Company.