Android Phones Found With Hidden Firmware Collecting Personal DataKryptowire Discovered Mobile Phone Firmware That Transmitted Personally Identifiable Information (PII) Without User Consent Or DisclosureKryptowire announced today that it has identified several Android phone models available through major retailers such as Best Buy and Amazon that contain hidden firmware collecting sensitive personal data without user knowledge or consentKryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd. These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The firmware could identify specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices. Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed. In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions. We analyzed the Personally Identifiable Information (PII) collected and transmitted in an encrypted format to servers in Shanghai including one of the bestselling unlocked smartphones sold by major online retailers. Moreover, some transmitted the body of the user's text messages and call logs to a server in located in Shanghai. All of the data collection and transmission capabilities we identified were supported by two system applications that cannot be disabled by the end user. These system applications have the following package names:
The data collection and transmission capability is spread across different applications and files. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data. The information was transmitted to the following back-end server domains:
All of the above domains resolved to a common IP address: 221.228.214.101 that belongs to the Adups company. During our analysis, bigdata.adups.com was the domain that received the majority of the information whereas rebootv5.adsunflower.com with IP address: 61.160.47.15 was the domain that can issue remote commands with elevated privileges to the mobile devices. We have identified two important elements in the server's response: the "given" and "keyword" elements. Our analysis leads to the understanding that the "given" keyword could be used to identify messages from a specific phone number, while "keyword" could be used to retrieve messages containing a specific keyword. In the example above this server's response is set to transmit all the text messages on the device. As smartphones are ubiquitous and, in many cases, a business necessity, our findings underscore the need for more transparency at every stage of the supply chain. Kryptowire has developed tools aimed at detecting software that can violate privacy and security policies that are not necessarily classified as malware. In many cases, these applications are benign, but exhibit behavior that is non-compliant with organizational, industry, and government policies. Kryptowire has communicated its findings with respect to the affected devices with Google, Amazon, Adups, and BLU Products, Inc. Source: Kryptowire release
|