In November 2016, a mobile security firm, Kryptowire discovered that Android smartphones made by BLU Products were sending massive amount of personal data to China servers, every 72 hours, without user consent. The data included phone number, location data, full contents of SMS, call list, and application used on the phone.
According to a recent research conducted by mobile security firm Trustlook, a range of other manufacturers, including notable brands Lenovo, Mediatek and ZTE, have been using software from the same company and their own consumers may be affected.
The company that is responsible for the creation of the software, China-based Shanghai Adups Technology Company, says its code runs on more than 700 million Android phones, cars and other smart devices. It claims a market share of over 70% across 150 countries.
Lenovo and ZTE are global Android manufacturers selling devices in every major region. Lenovo also owns the Motorola brand which is particularly popular in the US and Europe. Taiwan based-chipset manufacturer MediaTek supplies its products to Alcatel, HTC, Huawei, Lenovo, Meizu, Xiaomi, Sony Xperia, Vivo and more. In all, Trustlook has identified 43 manufacturers using Adups to deliver firmware which could possibly be the tip of the iceberg.
Adups software is used to provide Firmware-Over-The-Air (FOTA) updates for hundreds of companies and also acts as a data collector to build a database for spam text prevention. FOTA is a technology that wirelessly upgrades the mobile operating system, firmware of a smartphone.
However, the spyware was caught out collecting and transmitting sensitive user data without user’s permission:
- Collect and Send SMS texts to AdUps’ server every 72 hours.
- Collect and Send call logs to AdUps’ server every 72 hours.
- Collect and Send user personally identifiable information (PII) to AdUps’ server every 24 hours.
- Collect and Send the smartphone’s IMSI and IMEI identifiers.
- Collect and Send geolocation information.
- Collect and Send a list of apps installed on the user’s device.
- Download and Install apps without the user’s consent or knowledge.
- Update or Remove apps.
- Update the phone’s firmware and Re-program the device.
- Execute remote commands with elevated privileges on the user’s device.
Trustlook research confirms that Adups collects IMEI, IMSI, MAC address, Android version number, and operator information, in addition to the user’s SMS text messages, call log data and contact phone numbers. The firm said its Trustlook Mobile Security app is now able to detect the Adups spyware on Android smartphone. The app is free to download from Google Play.