Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China - without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD and the BLU Life One X2. These devices actively transmitted user and device information including the full-body of text messages, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI), serial number, Media Access Control (MAC) address, and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely-defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd. Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. Some of the collected information was encrypted and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.
In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.
Ryan Johnson is a PhD student at George Mason University in Fairfax, VA. His research interests are dynamic analysis, Android app analysis, and reverse engineering. He is a co-founder of Kryptowire LLC and currently works there as a research engineer.
Dr. Angelos Stavrou has founded Kryptowire LLC and he is an Associate Professor at George Mason University and the Director of the Center for Assurance Research and Engineering (CARE) at GMU.
Dr. Azzedine Benameur is an experienced researcher in Security & Privacy with a strong industrial focus currently a Cyber Security Research & Development manager with Accenture Technology Labs in Washington D.C. He previously lead the mobile security Research and Development at Kryptowire. With over 10 years experience working on Security, Privacy, Cloud Security and Mobile. He has a proven track record in delivering industrial focused research with prototypes, patents while pushing the state of the art with academic publications. In his past role at Symantec he was in charge of enhancing the detection of rooted devices and pushed a novel patented solution in both enterprise and consumer versions of Norton used by millions of users. He also focused on Cloud security and low level binary security issues though DARPA and IARPA funded projects (MEERKATS and MINESTRONE). Prior to Symantec he was a Researcher in the Cloud and Security Lab of HP Labs Bristol, UK where he worked on privacy as part of the European Union's EnCoRe project, investigating fine-grained consent and revocation in user-centric applications. Prior to this he worked on SERENITY, another European Union security research project, at the Security & Trust Lab of SAP Research.