Reports are emerging that some Micromax handset owners are seeing the remote installation of apps without any consent or announcement. Some users have even reported the frequent display of ads in the notification bar of their Micromax handsets. Several of these user reports made their way to Reddit recently.
One of the Reddit posts says, "For the last month or so, I've noticed apps that I never installed - apps like newshunt, snapdeal, amazon.in etc. These aren't exactly light apps, mind you - they're at least 7-8MB each. Space is really short."
XDA Developers reports that it began looking into the issue after a couple of Reddit posts detailed instances where a Micromax smartphone was involved in data mining. It found that Micromax has replaced the Google's Android firmware OTA service with a third-party app called FWupgrade.apk by a Chinese company called Adups Technology. It also adds that the third-party FOTA app installed by the company onto handsets downloads apps in the background without the need of consent from the user while also showing multiple ads at once.
XDA, explaining the ways in which an app can install another app, said, "To do this from within another app, you either need to use the Android PackageManager API directly, or issue the installation commands from a shell." The report claims Adups' FOTA app uses the second method to install with command line access.
The issue has certainly raised eyebrows as the silent, auto-install of such apps could eat up a lot of the inbuilt storage of the smartphone as well as use mobile data in the background to install apps. Not to mention the nuisance and security risk of having ads for potentially dangerous applications being displayed.
The report, after digging some more into the app, found references to the Adups website and even came up with a list of features of the FOTA app with promise to "Boost more revenue". The features listed were "App push service. Device Data Mining. Unique package checking. Mobile advertising." While XDA and users have either noticed or found evidence for three out of four of these features, the scariest, device data mining, remains unexplored. Exactly what data is being collected, and to whom is it being sent, and is it being sent securely, are questions we'd like answered. Also, by enabling command line access to a third-party app, Micromax has also "practically left a backdoor open for the sake of profits and data mining", notes Slashgear.
The most worrying fact here is that Micromax is obviously aware of how Adups' FOTA app installer works. For a company of Micromax's size, it is surprising it would be resorting to such methods for monetisation. Also, without explicit user permission to perform the functions it does, the app can be termed as malware.
The report finds the only way to disable the app is by rooting the smartphone - as the disable button has been deactivated - and then going through some relatively complicated steps to finally disable it. This also disables the smartphone's ability to search for updates.
We reached out to Micromax to respond to these reports, and a spokesperson provided the below statement:
"Customer satisfaction is paramount to Micromax and therefore we have taken immediate steps to put constant surveillance across our systems. We are closely monitoring to plug any unknown potential gap and provide a resolution at the earliest."
In the meanwhile, GSMArena has received a statement from Adups Technology which says the "case" is being investigated with Micromax.
"Adups Technology is the leader in FOTA technology and the best professional FOTA service provider in the world. More than 60% smart device manufacturers have adopted Adups FOTA so far.
Our customers trust us can provide a high-quality FOTA solution to them to continue to develop high-performing and sophisticated smart devices for their end-users around the global.
We have helped our vendors to release a mass of updates in the past three years. Even so, we have never received any complaints from our customers and end-users for any bad service.
Adups will never do any operations unrelated with updates without knowing of our customers and their end-users.
About remotely installing unwanted apps and AD push on Micromax phones, we began at once to investigate the case with Micromax. We have suspected some competitors slandered us behind our back and we will detect the truth by pursuing legal claims. Those guys released network of rumor must be responsible for this event and all losses. We have got the sample device and some snapshots about this event, we will submit another statement about this after we analysis the applications integrated before and trace the system logs."