The software of the company Adups collects almost all private data of an Android mobile phone and can install on the device irrevocably apps. It was developed at the request of Chinese providers. Their use in other areas was a mistake.
Software from the Chinese company Shanghai Adups Technologies, which is integrated on cheap smartphones in their Android operating system, spies the users of the phones and loads massively personal data on servers in China. The device firmware update (Firmware Over The Air, FOTA) analyzes users’ user behavior to give manufacturers and providers the ability to target advertising. According to Adups, the software is installed on more than 700 million devices worldwide. The manufacturer BLU Products is affected, whose devices are sold exclusively on Amazon, but probably also larger providers such as ZTE.
The tapped data includes phone numbers, phone-specific information such as the IMEI, the content of text messages, the exact location, the complete connection history, and apps installed on the device. According to the security firm Kryptowire, which has investigated the software under laboratory conditions, Adups can also install apps on the device and execute commands. The software bypasses the right system of Android and is difficult to track down if you do not know what to look for. Since anti-virus programs usually assume that software that is delivered with the device is harmless, they too have remained ineffective in this case.
The software had encrypted the collected data and uploaded in JSON format to several servers with Chinese domains, which are controlled by Adups by name. Most of the data was collected every 24 hours, text messages and the connection history were transmitted every 72 hours. Kryptowire cooperates closely with the US Homeland Security Authority, but has investigated this case independently and by chance. A researcher of the company had bought a BLU R1 HD as a cheap mobile phone for a foreign journey and discovered strange network traffic when setting up.
Everything just an oversight
Which devices are exactly affected is unknown. A spokesman for Adups Technologies told the New York Times that his company had made a mistake. This is not a state-of-the-art espionage, according to the statement. The equipment concerned had been intended for the Chinese market and the espionage functions had been developed on the request of Chinese equipment manufacturers. Whether the spy software is also installed on BLU devices that were offered as an import into German online stores, heise Security could not verify so far. However, it is still conceivable.
The manufacturer BLU announced that an over-the-air update had removed the espionage functions from the devices after Kryptowire had informed the manufacturers as well as Adups, Google and Amazon. Huawei, also known by the Times as a customer of the Adups software, has now said that the company has never worked with the company in any way.
The case is somewhat reminiscent of the Carrier IQ software, which was discovered in December 2011 on millions of smartphones from different manufacturers. This software should also collect user data for manufacturers and providers. The case had at that time danced waves and led to a series of complaints against the manufacturer of the software. Among other things, the US Trade Commission FTC had taken legal action.