Software Used in Mobile Phones Sends Texts, Location Data and Contacts Back To China

The BLU R1 HD phone was observed sending sensitive user data back to a server in China. The company responsible, Shanghai Adups Technology Co. Ltd., said that was a mistake and that the problem has been corrected.
The BLU R1 HD phone was observed sending sensitive user data back to a server in China. The company responsible, Shanghai Adups Technology Co. Ltd., said that was a mistake and that the problem has been corrected.

In-brief: software used in at least one brand of smart phones sold in the U.S. was found to secretly send private information about the phone’s owner back to servers in China, according to a report by the security firm Kryptowire.

Software used in at least one brand of smart phones sold in the U.S. was found to secretly send private information about the phone’s owner back to servers in China, according to a report by the security firm Kryptowire.

The software, made by the firm Shanghai ADUPS Technology Co., was observed sending user and device information to servers in China at regular, 72 hour intervals, according to Azzedine Benameur, a researcher at Kryptowire. Further analysis by researchers at Kryptowire determined that the data included the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) of the phone. Using that data, a third-party or government could easily monitor the doings and conversations of a phone’s owner, Benameur said.

The firmware could identify specific users and text messages matching remotely defined keywords and collected and transmitted information about the use of applications installed on the monitored device. Because the remote update software is used to update the operating system and other key components, it runs with elevated permissions and could remotely reprogram the devices, Kryptowire said in a statement.

The ADUPS software comes installed in several models of Android mobile devices sold through major US-based online retailers like Amazon and BestBuy among others. It is intended to manage over-the-air (or OTA) updates of the “firmware” (or software) that runs the phones. However, researchers from Kryptowire observed the phones transmitting large volumes of data to servers owned and operated by ADUPS in China. Among them is the BLU R1 HD, an inexpensive smart phone that retails for between $65 and $180.

Kryptowire researchers first became aware of the problem when one employee purchased a BLU R1 phone from Amazon.com to use as a temporary or “burner” phone for an overseas trip, Benameur said.  Analyzing the phone using specialized tools, Kryptowire observed the firmware accessing the text, contact and location data. That information was encrypted and transmitted to servers in China.

Further analysis of the firmware and supporting files found that the update software allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information.

“The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices,” Kryptowire said in a statement.

“It was beyond our expectations. We know how ad networks work in terms of fingerprinting devices, but we didn’t anticipate the scale and depth of the data collection,” said Benameur.

In a statement, ADUPS said that the features discovered by Kryptowire were developed in response to a customer request for a way to “screen out junk texts and calls from advertisers.” The customized version “collects messages to identify junk texts using back-end aggregated data analysis” with the goal of improving the “mobile phone experience,” ADUPS said. The features for analyzing text message content were in order to “(flag) texts containing certain language associated with junk texts and … numbers associated with junk calls and not in a user’s contacts,” the company said.

The software made it into Blu Product phones in June 2016 after Blu applied a version of the ADUPS FOTA application that inadvertently included custom functionality.

“When Blu raised objections, ADUPS took immediate measures to disable that functionality on Blu phones,” the company said.  “ADUPS updated applications for Blu phones, and those phones have passed the Kryptowire test. ADUPS also confirmed that no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a Blu phone during that short period was deleted,” the company said.

ADUPS said it has been cooperating with Blu and Google to verify that “such flagging of junk texts and calls does not happen in the updated versions of the firmware in Blu’s phones.”

But Benameur said that the ADUPs explanation doesn’t all add up. “Do you need text messages for support data,” he asked.

Also unclear is how widespread the use of the ADUPs software is. The company claims that its software runs on some 700 million devices, though it is unclear how many use the specific version of the software update program Kryptowire analyzed. Also unclear is whether the data collection is common to all phones using the ADUP over the air update software or whether it is limited to certain countries or even regions. The software’s ability to collect location information would allow anyone controlling the software to limit its use based on location, as well, Benameur said.

The incident is just the latest to underscore the risks posed by hardware and software “supply chain” firms – many little known companies in China.

Xiongmai Technologies, the hardware and software vendor whose wares power many of the closed circuit TV cameras, digital video recorders (DVRs) and network video recorders (NVRs) enlisted in the Mirai botnet agreed last month to recall some 10,000 affected devices, according to published reports.

The company’s technology figured prominently in a denial of service attack on Friday on Dyn, a New Hampshire based provider of managed Domain Name System services. Dyn counted Twitter, Spotify, CNN.com, The New York Times and other leading sites as customers.

As reported by The Security Ledger, an analysis of XiongMai’s technology by the firm Flashpoint found a number of features that make them easy targets for hackers. Among them: hard-coded the default credentials in the firmware, which customers are unable to change. Also, another flaw in the software XiongMai ships to manage its hardware components allows anyone with knowledge of the IP address of a device running the software to forego logging in at all.

Security Ledger wants to hear your thoughts! Leave a reply.