Despite last year's revelation where some smartphones being sold in the US were found laced with a software that could send private data to servers in China, it seems as though nothing was learnt from the mistake. According to a recent study, it seems the group behind last year's privacy-invading software is still active and continues to send personal data to China, only more discreetly than before.
Shanghai Adups Technology, a firm based in China, was caught last year in November for having added a backdoor to the firmware of cheap smartphones like the Blu R1 HD sold in the US. The firmware was found to be sending personally identifiable information (PII) to servers in China via a back door. At the time, the Shanghai-based firm said it had mistakenly used code for China-based software in these firmware.
Researchers at Kryptowire discovered this back then and at the Black Hat security conference in Las Vegas on Wednesday, the security firm once again revealed that Adups' software is still sending data from the Blu Grand M smartphone to the company's server in china, CNET reports. This was discovered by Ryan Johnson, a research engineer and co-founder at Kryptowire in May, almost six months after Shanghai Adups Technology confessed it was a mistake.
"They replaced them with nicer versions," Johnson said. "I have captured the network traffic of them using the command and control channel when they did it." Following this reveal, a Adups spokeswoman said the company had resolved the issues last year and that the firmware "are not existing anymore."
Apart from the Blu smartphone, Johnson also found the firmware on the Cubot X16S. These cheap Chinese phones sent data that included a list of apps installed, the apps used, IMEI numbers, call logs, browser history, and more to China. In fact, Adups claimed last year that its software is present in over than 700 million devices in 200 countries, mostly targeting low cost phones.
Cases of spyware, malware, and ransomware have been growing in recent times. The Black Hat security conference comes following recent cyber-attacks like WannaCry and Petya ransomware. There have also been reports recently of Android-based malware like SpyDealer and LeakerLocker. All of these cases have raised an alarming concern over the safety of personal information over the digital space.
These cases also point out some serious vulnerabilities with the Android platform. Kryptowire said last year that it examined 20 pieces of firmware from low-end Android devices, all of which seemed to have vulnerabilities that could allow spyware apps. Notably, all of these devices also had a particular MediaTek chipset. The chipset comes with a pre-installed app called MTKLogger, which allowed for data surveillance of browser history and GPS, to name a few. While MediaTek claims to have resolved the issue, the security firm found the vulnerability still present till last week on the Blu Advance 5.0.
As of now, it's unclear what happens to the data when it reaches China. Adups has said that it would delete the data but that doesn't answer as to how has been used and to what capacity.
Update: Blu has provided a statement regarding the reports:
BLU Products responds to inaccuracies reported by several news outlets making clear that there is absolutely no spyware or malware or secret software on BLU devices, these are inaccurate and false reports. BLU is reaching out to several reporters to correct their articles and issue apologies, which BLU has started receiving.
The original report by Kryptowire issued on November 2016 regarding the Adups OTA application, stated a small fraction of BLU phones had a version of the application which was collecting phonebook contacts and text messages. Since BLU was unaware of this collection, they hadn't notified customers, thus it was deemed as a potential privacy issue. BLU moved quickly and resolved the problem by having Adups turn off this functionality.
Furthermore, BLU decided to switch the Adups OTA application on future devices with Google's GOTA. Even though it is BLU's policy to only use GOTA moving forward, some older devices still use ADUPS OTA.
Using ADUPS OTA is not an issue here. ADUPS is a well-known application used by several device manufacturers around the world. The issue is exactly what kind of data is actually being collected by this ADUPS application, and whether it presents a security or privacy risk.
BLU has several policies in place which takes customer privacy and security very seriously, and confirms that there has been no breach or issue of any kind with any of its devices.