Multiple Android mobile device models sold in the United States have been recently found to include a backdoor in their firmware and to send personally identifiable information (PII) to third-party servers without disclosure or the users’ consent.
Discovered by security firm Kryptowire, the backdoor transmits sensitive data such as text messages, contact lists, call history (including full telephone numbers), the International Mobile Subscriber Identity (IMSI), and the International Mobile Equipment Identity (IMEI).
What’s more, the firmware could target specific users and text messages matching remotely defined keywords, and also collected information on the use of applications on the affected devices. The firmware can also bypass the Android permission model, can execute remote commands with escalated (system) privileges, and can even remotely reprogram the device.
The security researchers say that the firmware on the affected devices, including the BLU R1 HD smartphone and other devices sold via Amazon, BestBuy, and other major US-based online retailers, could also install applications remotely, without user consent. Some versions of the software also allowed for the transmission of fine-grained device location information.
The researchers determined that the backdoor activities were performed through a commercial Firmware Over The Air (FOTA) update software system managed by a company named Shanghai ADUPS Technology Co. Ltd. The firm claims that its firmware is integrated in devices from over 400 leading mobile operators, semiconductor vendors, and device manufacturers, and that it has a world-wide presence with over 700 million active users.
Device and user information was periodically collected without user consent or knowledge, and, using multiple layers of encryption, was transmitted over secure web protocols to a server located in Shanghai. The data collection and transmission was performed by two system apps that the user couldn’t disable, namely com.ADUPS.fota.sysoper and com.ADUPS.fota.
“The data collection and transmission capability is spread across different applications and files. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data,” Kryptowire says. Data was sent to four domains, all of which resolved to an IP belonging to ADUPS, so there was little doubt that this company was responsible for this suspicious activity.
In fact, ADUPS has already confirmed that it indeed collects device and user information, including “model information, device status, application information, bin/xbin information and summary information from phones and messages.” This data, the company claims, is used to ensure that “the appropriate updates and services are sent to the correct devices.”
What’s more, the FOTA update services provider says that it uses multiple encryption layers and HTTPs in the transmitting process to ensure data safety. The company claims to have “taken customer and user privacy very seriously” ever since launch, and even provided an explanation on why text messages were collected alongside phone call information.
“In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution [that] collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience,” the company says, adding that the application was meant to flag texts considered junk and numbers associated with junk calls and not in a user’s contacts.
Apparently, a version of the application that included the functionality inadvertently ended up on some BLU Product, Inc. devices in June this year. The company claims that BLU raised concerns on the matter and that ADUPS immediately disabled the data collection feature on BLU devices. “Those phones have passed the Kryptowire test,” the company says.
Moreover, the FOTA service provider says that “no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a BLU phone during that short period was deleted.” The company claims that it worked together with BLU and Google to ensure that the same won’t happen again on updated versions of the firmware in BLU’s phones.
While the company’s explanation fully confirms the data collection and transmission practice, it still doesn’t explain why the owners of impacted devices weren’t warned on the matter. Provided that ADUPS’ firmware is so wide-spread, 700 million users in over 200 countries and regions could potentially have their information collected daily, which poses a major privacy issue.
“As smartphones are ubiquitous and, in many cases, a business necessity, our findings underscore the need for more transparency at every stage of the supply chain and increased consumer awareness. Kryptowire has developed tools aimed at detecting non-compliant software that can violate privacy and security policies that are not necessarily classified as malware. In many cases, these applications are benign, but exhibit behavior non-compliant with organizational, industry, and government policies,” Kryptowire notes.