Mobile security is a huge issue, but most consumers tend to think that at least a brand new phone is safe. That assumption may be in error, according to security research firm Kryptowire. In a new report Kryptowire documents the inclusion of software tools collectively called Adups, which allegedly shipped on phones like the Blu R1 HD and other devices sold internationally, including the US market via Amazon and Best Buy.
If true, the report is a damning accusation for the software's creator Shanghai Adups Technology and its manufacturer and carrier partners. Kryptowire claims that Adups has the capability to collect IMEI data, SMS logs and contents, call logs, contact names, and IP addresses, then send the data back to third party servers in China without notification or permission from users. Said data was collected and encrypted every 24 to 72 hours in the testing phase, then transmitted to two specific IP addresses owned by Adups. Even worse, the software can remotely install new applications with system-level permissions.
Adups bills itself as a company that supplies services for over-the-air software delivery. Though Adups does not exclusively service cell phones (its marketing material includes connected cars, home monitoring equipment, retail sales software, and wearable tech), it claims 700 million active users in over 200 countries. The remote backup and install capabilities of the Adups software aren't unheard of, but they're generally available only to manufacturers and carriers, and aren't usually paired with access to personally identifiable information like contact names.
Kryptowire's findings have not been independently verified, and a full list of affected devices has not been posted. If you wish to check your own device, the APK files reportedly responsible for transmitting data and remotely accessing hardware are "com.adups.fota" and "com.adups.fota.sysoper." Kryptowire's report says that Google, Amazon, Blu, and Adups have been alerted to its contents. Ars Technica reports that Blu has already patched the affected devices and that the software is no longer transmitting personal information.
Several of our readers have been sent emails directly from Amazon, informing them that a crucial security update was coming in for the Blu R1 HD. While the spyware in the report above wasn't specifically mentioned, it seems pretty safe to assume that this triggered a fast update. Here's the text of the email:
We recently learned of a potential security issue with a BLU smartphone our records indicate you purchased or registered:
BLU R1 HD - 16 GB - Black - Prime Exclusive - with Lockscreen Offers & Ads
BLU intends to push out a software update that will fix the issue. Any phone that is powered on and connected to the Internet (through Wi-Fi or a cellular data connection) will automatically receive the update. For more information, including a list of affected phones and instructions for confirming that your phone has been updated, please visit www.bluproducts.com/security, or contact BLU customer service at 1-877-602-8762 or [email protected]
The Blu R1 HD also seems to have been removed from sale on Amazon.com, formerly its only retail outlet in the United States.
Thanks to everyone who sent this in.
Despite not being mentioned in the initial security report, or indeed the news post above, Chinese manufacturer ZTE would like everyone to know that they don't install the Adups spyware on their phones, at least not in the US. Here's a statement from ZTE's American PR team:
“We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.”
- Ars Techinca