Security researchers from Kryptowire have found a secret backdoor in the firmware of many Android smartphones sold in the US, which covertly gathers information on phone owners and sends it to a server in China.
According to Kryptowire, the server belongs to a company named Shanghai Adups Technology Co. Ltd., which manufactures and sells a FOTA (Firmware Over The Air) update software system, included with many Android OEMs with their devices.
This malicious FOTA update system behaves just like any backdoor trojan, contacting the Chinese company's server and asking for instructions. Based on the received commands, it can execute multiple operations, detailed below:
According to Kryptowire the backdoor is found inside two system applications that users can't disable or remove. Their names are:
On its website, Adups brags that its firmware runs on over 700 million Android devices, but it's unclear how many of these run the FOTA update system.
Security researchers say they've found the backdoored FOTA update system in the firmware of the popular BLU R1 HD smartphone.
For the majority of cases, mostly low-end budget Android models are affected, mostly used as disposable phones. These devices can be found on sale on Amazon and BestBuy.
Kryptowire is a DHS security contractor, but they discovered the security flaw outside their government contracts.
Their discovery about Adups' business practices is similar to the 2011 case of Carrier IQ, another smartphone software vendor.
In 2011, security researcher Trevor Eckhart discovered that smartphones running Carrier IQ software included a rootkit that allowed the software to capture keystrokes.
The software never sent the captured data to Carrier IQ servers. The FTC started an investigation, and several mobile carriers sued the company. Kryptowire says it notified the US government about its findings.