Security researchers have uncovered a secret backdoor in Android phones that sends almost all personally identifiable information to servers based in China.
The firmware is managed by Shanghai Adups Technology, and according to the company, is contained on over 700 million phones worldwide, including phones available in the United States.
Adups says that the firmware provides companies with data for customer support, but an analysis by Kryptowire revealed that the software sends the full bodies of text messages, contact lists, call history with full telephone numbers, and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Station Equipment Identity.
Or, in other words, everything that you would need to keep someone under surveillance.
Although Shanghai Adups is not affiliated with the Chinese government, the discovery of the firmware is being taken very seriously by US government officials: not least because the firmware does not disclose what it is doing and the firmware – spyware – comes pre-installed on new phones.
On its website, Adups says its firmware is used by 400 mobile operators, semiconductor vendors, and device manufacturers, covering everything from smartphones to wearables to cars and televisions.
The company has admitted that the specific software under examination was written following a request by a Chinese manufacturer, but has refused to name the company.
Phones with the firmware are available for purchase online in the US, including through major retailers like Amazon and BestBuy. Kryptowire said it only discovered its existence by accident when one of its researchers bought a phone to travel with and noticed some irregular network traffic when he turned it on.
Adups has not published a list of the phones its software is included in, although it is known to provide its software to the two large Chinese phone manufacturers Huawei and ZTE. Google has apparently told the company to also remove its software from any Android phones that run its app store, Google Play.
Data collection and transmission on the affected phones are handled by two system applications – com.adups.fota.sysoper and com.adups.fota – neither of which can be disabled by the user.
According to Kryptowire, data transmission of text messages and call logs takes place every 72 hours, and all other personally identifiable information is sent every 24 hours.
The data is sent to four servers:
They all resolve to the same IP address – 188.8.131.52 – which belongs to Adups.
Further adding to suspicions, communication between phones and the servers included two elements that allow the data sent to be connected to a specific phone number. In other words, rather than simply collecting data and aggregating it – something a lot of companies do (but disclose), the Adups software purposefully makes it possible to identify and track specific phones.
In some respects, the Adups software is even more intrusive than the infamous Carrier IQ spyware, which was revealed in 2011 to be key-logging and transmitting data secretly. That discovery sparked an outcry. The technology was recently bought by AT&T.
While Adups doesn't grab key logging or email address information, it does something much more worrying – enables apps to be updated and installed, and allows for remote execution and privilege escalation.
As such, it would be possible for Adups to identify a specific phone, install additional spyware on it, and grant full access to the phone. It would also be able to remove that software at a later date – ie, it would be the perfect spying tool.
The specific phone that the researchers discovered the firmware on was the BLU R1 HD. CEO of BLU Products, Samuel Ohev-Zion, said that the company was not aware of the firmware's capabilities, and that the company has now removed it.
According to Adups, the software featured on the phone tested by Kryptowire was not intended to be included on phones in the United States market.
A Huawei spokesperson sent us a statement:
"We take our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them." ®