Several Android smartphone models sold in the US, including via major online retailers like Amazon and BestBuy, had firmware in them that surreptitiously collected and sent detailed personally identifiable information on users and devices to a server based in China.
An employee working for DARPA-funded security firm Kryptowire stumbled upon the issue when using a burner phone from Miami-based BLU Products he had purchased for a trip overseas. When setting up the device, the Kryptowire employee noticed some strange network activity and started poking around.
The investigation led to the discovery of firmware on the phone designed to actively transmit device identifying data and user information, including the complete content of text messages, full contact lists, call history data, and other information to a server based in Shanghai.
The firmware bypassed Android’s permission model and also collected and transmitted information on the use of applications installed on the device, Kryptowire announced in an alert this week. “It executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices,” the security firm said.
Kryptowire’s alert is sure to rekindle memories of a similar episode involving Carrier IQ, a now defunct mobile analytics company that in 2011 got caught in a huge controversy for supposedly collecting and transmitting user and device data to carriers without user consent. Though it later turned out the company was only collecting data for monitoring device and network performance, Carrier IQ’s failure to fully disclose what its software did led to considerable speculation about its motives.
Kryptowire’s analysis of the code and network activity showed that the Adups firmware on some Android devices allowed for remote installation of user applications without any user consent. In some instances, the firmware gathered and relayed what the security firm described as fine-grained location data on the device.
All information that the firmware gathered was encrypted via multiple encryption layers and transmitted via secure web protocols to Shanghai. Collected text messages and call log data were transmitted to China every 72 hours while other personally identifiable information was sent every 24 hours.
Because the firmware shipped with the device, anti-virus tools considered it safe and put it on their application whitelists.
Kryptowire traced the monitoring back to a professional Firmware Over The Air (FOTA) update service called the Shanghai Adups Technology Co., Ltd.
The Chinese company’s website describes it as a leading provider of firmware over the air services for end-to-end mobile device management. Adups claims that more than 400 leading mobile operators, device manufacturers and semiconductor companies currently use its service to deliver firmware updates and device upgrades for their products. Over 700 million mobile phone users in some 200 countries currently have the firmware on their devices.
In a statement responding to Kryptowire’s report, Adups suggested the firmware discovered on the Android phones from Blu was included by mistake and was meant for use only by some specific, unnamed clients.
The customers apparently wanted Adups to provide a way to flag junk texts and calls to users. So the firm developed a customized FOTA application that collected messages and applied backend data analytics to it to identify and flag messages that fit that category. The specialized application, looks for and flags content that has been previously associated with junk messages, Adups said.
In June 2016, the customized firmware inadvertently ended up on devices sold in the US by Blu Products. When Adups learned of the issue it took measures to disable the monitoring functionality and updated the firmware so it is no longer is an issue, the Chinese firm claimed. All text messages, phone logs contact lists, and other data collected and transmitted to Adups has been deleted, the company added.
The New York Times Tuesday quoted Blu Products CEO Samuel Ohev-Zion as saying the company had not been aware of the issue till notified by Kryptowire. Some 120,000 Blu devices were impacted and have now been upgraded so the firmware no longer poses a threat, he said. Adups has assured Blu that all data collected on customers had been destroyed, Ohev-Zion told the Times.
In comments to Dark Reading, Tom Karygiannis, vice president of product at Kryptowire says it is unclear how many Android phones sold in the US have the Adups firmware installed on them. The Kryptowire report is based only on the devices from Blu that the company tested in its labs, he says.
It is not possible to know if Android phones from other vendors are similarly impacted without testing them, he says.
Adups did not immediately respond to a request seeking information on whether Blu was the only Android device vendor in the US that was impacted or if others were as well.
End users cannot easily disable the system applications doing the collecting and sending of device data and PII, Karygiannis says.
“If they were using the devices with the firmware we analyzed, the average consumer wouldn't know and wouldn't have been given the opportunity to review and accept a EULA,” for it, he said.