The FOTA service provider, Shanghai Adups Technology Co. (ADUPS), was thoroughly judged during the Black Head session in Las Vegas. It was reported that the company still applies ADUPTS spyware on a couple of Android mobiles, and that personally identifiable information (PII) was still collected without consumers’ knowledge or permission.
The co-founder of Kryptoware and research engineer Ryan Johnson is one of the group who originally spotted the spyware. He announced that ADUPTS servers, that are based in China, were still receiving user information back in May.
A year ago, Kryptowire provided information that a low-priced phone producer Blu Products also employed ADUPTS spyware on a couple of its phone models. Thus, the consumer data was secretly collected from R1 HD and Life One X2 models.
ADUPTS have received users’ SMS messages, call history, contact list and telephone numbers, also, individual device identifiers, such as serial number, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI) and Media Access Control (MAC).
The organization claims to provide services to over 700 million connected devices.
During the session, R. Johnson noted that “At the time when I found it, they were getting all this stuff – text messages, call log, GPS location – then they rolled that back. But in May, I found that ADUPS was still collecting PII”.
Google and Blu attempted to limit the amount of information that was collected and exfiltrated from devices by ADAPS.
The organization responded to the statement with the message:
“Those issues from 2016 have been solved. In Nov. 2016, a new version has been submitted and tested by the third-party security institutions, including Kryptowire, Google and AFLS Lab. It has been pushed to our official website and partners through various channels and to the users immediately. Since November 2016, all versions of FOTA were submitted to Google for certification. We only sent completely safe and reliable versions to our customers.”
The organization also accuses Kryptowire of providing inaccurate information.
However, Kryptowire claims that Shanghai Adupts Technology corporation notably increased the extent of information ADUPS collected from consumers and is still collecting PII on some of Blu phone models. The data includes a list of installed aps, cell tower IDs, users’ IMSI, and serial SIM card numbers.
In addition to the US market, the second handset producer in China, Cubot, also continues to work with Adupts. Cubot X16S models also collect the information of installed apps, cell towers IDs, users’ IMSI, SIM card serial number and browser history using ADUPS software.
Cubot is popular not only in Asia, but also Europe, Africa and Latino America, while Blu devices are broadly offered in American-based retail locations like Walmart and Best Buy. In addition to them, Blu is also the leading unlocked phone provider sold in Amazon.
Johnson adds that “There is no legitimate reason for Adups to be tracking user browser histories, never mind all the other data”.
In both Cubot and Blu instances, the collected PII is sent to ADUPS servers based in China. After testing Cubot X16S model’s software, R. Johnson indicates that now ADUPS paused and do not collect or transfer PII back to servers.
However, the researcher stated that Shanghai Adups Technology is still able to manage commands and, if the organization wanted, “…it could install apps, take screenshots, or wipe handsets without needing ask for the user’s permission”.