The backdoor was discovered by Kryptowire
According to the analysis made by security firm Kryptowire, some commercial firmware pre-installed on Android smartphone models sold in the US has been found to be secretly sending personal data to a third party company based in China, without users’ knowledge or consent.
The stolen data include text messages, call logs, contacts, app usage data and user’s location.
The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.
The collected information was encrypted and transmitted over HTTPS to a server located in Shanghai:
The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other PII data. The information was transmitted to the following back-end server domains:
- bigdata.adups.com (primary)
All of the above domains resolved to a common IP address: 220.127.116.11 that belongs to the Adups company.
During our analysis, bigdata.adups.com was the domain that received the majority of the information whereas rebootv5.adsunflower.com with IP address: 18.104.22.168 was the domain that can issue remote commands with elevated privileges to the mobile devices.
A full list of affected devices is not available at this point, but Kryptowire says:
In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.