700 Million Android Phones Pre-Installed With Chinese Backdoor

Security researchers have uncovered that 700 Million Android devices may be infected by a worldwide Chinese Backdoor. Continue reading on to find out more about the dangers of the situation.

The Capabilities Of The Chinese Android Backdoor

Several security experts have reported that Android devices are under a very serious threat. According to the reports 700 Million users are currently a victim of a dangerous Chinese backdoor that may be transmitting private information to third-party servers located in the People’s Republic of China.

The first reports came from Kryptowire in a detailed analysis. According to the company the affected devices are carried through major US-based online retailers such as Amazon, BestBuy and others. The dangerous smart phones and tablets include popular smartphones such as the BLU R1 HD.

According to the researchers they actively relay private information about the users and their devices to third-party servers without their consent. Some of the data includes the following:

  • The full contents of all text messages, contact lists and call history with every stored telephone number
  • Device information such as the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI)
  • Specific users and text messages matching remotely defined keywords

In addition the dangerous backdoor can retrieve information about the installed applications on the host devices, bypass the Android permission model, execute remote commands with system privileges and remotely control and reprogram the device.

The delivered firmware that shipped with the devices has the capability to remotely install applications without the consent of the users. Some versions of the software allows transmission of fine-grained device location software. The basis of the monitoring features took place using a commercial FOTA (Firmware Over The Air) update software system. The code is managed by a company named Shanghai Adups Technology Co. Ltd.

Kryptowire has found out that the information is collected automatically by the backdoor and is transmitted periodically. The data is encrypted using several layers and sent via a secure web protocols to a server located in Shanghai. The backdoor is even able to bypass the security measures of anti-virus tools.

Adups has claimed that in September 2016 its web site has collected information with over 700 million users. Its market share exceeds 70% over 150 countries and regions with offices located in Tokyo, Shanghai, Shenzhen, Beijing, New Delhi, and Miami. The Adups site states that it has produced firmware for more than 400 mobile operators, semiconductor vendors, and device manufacturers. The products range from wearable smart products to mobile devices, cars and television sets.

Further Details About The Chinese Android Backdoor

Based on the received triggers the company has uncovered that the following operations are conducted on the victim devices:

  • Collection and sending of SMS messages to the remote servers every 72 hours
  • Collection and sending of call logs to the remote servers every 72 hours
  • Collection and sending of personally identifiable information to the remote servers every 24 hours
  • Collection and sending of the device’s IMSI and IMEI identifiers to the remote servers
  • Collection and sending of the geolocation information to the remote servers
  • Collection and sending of the list of installed application on the devices to the remote servers
  • Downloading and installation of application without the user’s consent
  • Updating and removing of applications
  • Updating the firmware of the devices and reprograming them at will
  • Arbitrary code execution with elevate privileges

The backdoor has been identified in two system applications:

  1. com.adups.fota.sysoper
  2. com.adups.fota

Both of them cannot be disabled or removed by the user.

BLU Products has confirmed that 120 000 of its devices have AdUps installed. The company has proceeded to remove the software and issued the following statement:

“BLU Products has identified and has quickly removed a recent security issue caused by a third-party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices,” the company said in a statement.
“Our customer’s privacy and security are of the upmost (sic) importance and priority. The affected application has since been self-updated, and the functionality verified to be no longer collecting or sending this information.”

The Kryptowire staff has also notified AdUps, Google and Amazon of the issue.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *