Adups — The Spy in your Pocket

Mobile Malware

written by Antoine Neuenschwander

Smartphones have become inseparable companions of our everyday life. They are so cheap nowadays, you can buy commodity devices running Android OS for less than a hundred Swiss francs. Smartphones aren’t mere wireless telephony devices. They are modern computer systems equipped with a variety of sensors: cameras, microphone, GPS receiver, gyroscopes and accelerometers, etc. They also feature multiple wireless communication interfaces such as multi-generation mobile networking, 2.4 and 5 GHz Wi-Fi, Bluetooth, NFC, etc, which make them a polyvalent communication platform with a quasi permanent Internet connection. Another way of looking at it: using all the components typical smartphones are equipped with, they can be fitted as perfect bugging devices.

On November 15th 2016, Kryptowire published a blog post revealing that „several models of Android mobile devices contained a firmware that collected sensitive personal data about their users and transmitted the data to third-party servers without disclosure or the users’ consent“. The sensitive data includes unique device and user identifiers, but also contact lists, call history, installed applications, and under circumstances text messages as well as fine grained location data. The said firmware originates from Adups, a Shanghai-based company specialized in mobile and IoT technologies. It is part of their FOTA product, a commercial replacement of Google’s Over-The-Air upgrade system, which is used to deploy firmware upgrades to the devices (hence the acronym: Firmware Over The Air). The FOTA component is pre-installed on various brands and models of Android devices manufactured in China. Being installed as a system APK, the software has unrestricted access to all data on the device and cannot be uninstalled.


HTTP request originating from a device affected by the Adups backdoor
HTTP request originating from a device affected by the Adups backdoor

Blogs and news sites such as the NY Times rapidly picked up the news. Security researchers also published in-depth technical analysis of the backdoor. However it didn’t attain great public attention, so it seems. A couple of weeks after the disclosure, SWITCH-CERT decided to investigate the matter to find out, if and how many users within its constituency were affected by this backdoor. Interestingly, the network communication is remarkably obvious. We noticed different versions of FOTA communicating over plain HTTP. The requests were directed at two IP addresses geolocated in the greater Shanghai area. Earlier versions of FOTA transmit only technical data such as the current firmware build name and version number, which seems in line with Adups’ legitimate use-case. Later versions further included personally identifiable data (PII) such as IMEI, IMSI, MSISDN and the Wi-Fi adapter’s MAC address. Other types of payloads were not transmitted in plain text. The authors used a symmetric cipher (single DES in CBC mode) to conceal the exfiltrated data. Reverse-engineering of the FOTA APK from any single affected device revealed that the used key material is highly trivial, the keystring being “NotCrack” and the initialization vector “12345678”. Even if the decryption key was not retrieved that way, it could have been cracked fairly rapidly using a dictionary attack. The protected payloads do not carry more essential data than those mentioned previously. Also, other sensitive data such as call logs and SMS messages are transmitted as plain ZIP files. So obviously the authors did not want to blatantly disclose the data they were siphoning, but on the other hand they provided just a minimal effort of obfuscation.

For the sake of our investigation, and after informing the concerned parties, we started monitoring the network traffic on the SWITCH backbone, looking at connections specific to Adups FOTA’s communication on the two IP addresses mentioned before. In a month’s time, we detected little less than a thousand affected devices. This represents roughly 0.3% of the estimated number of network users. The collected data does not feature very surprising patterns. From the event distribution over time, we can see that most requests are performed during working hours, with peaks around noon and practically no activity during the night. We can also observe minimas during the weekends. This behavior is consistent with people carrying their smartphones along when at their working place.

Hourly event distribution over three days
Individual users per day

Looking at the source IP addresses of the requests, we observed that the distribution of affected devices with respect to the originating organization is proportional to the number of staff / students of that organization. Also, we did not discover any trend or influence resulting from geographical location. By inspecting the payloads, we could retrieve further information, such as mobile operator, retrieved from the first five digits of the IMSI, which you can resolve e.g. here. Here again, the distribution shows no specific squew: the three main Swiss operators each being represented almost equally (according to their market shares), followed by smaller Swiss and foreign operators. In general, we assume a uniform distribution of affected devices over the population. We also retrieved the brand and model names from the request data; we see that various brands are affected by the Adups backdoor.

Affected devices by mobile operators

Having confirmed a non-negligible amount of Adups traffic on the network, we weren’t sure how to go about it, and which parties to contact for remediation. On their website, Adups addresses the issue in their FAQ and a special privacy notice about FOTA. In their statement of December 7th 2016, they relate the data collection to a bug, that was “…inadvertently applied to certain BLU mobile devices…” and that was fixed with version 5.5. Moreover, Adups states to be storing only “…basic device information and product model information…” and that “…none of this information can be used to identify the users…” They justify their practice with “…legitimate business interests and as necessary to provide the FOTA services and customer support to its customers.” On the side of the manufacturers, some pro-actively informed their users about the unauthorized data collection whereas others did not confirm the incident yet. However, most manufacturers did not publish any statement about Adups up to this date.

Affected manufacturers and models

We discussed the issue with our peers in the Swiss university community. One of the key points was whether blocking the traffic to the IP addresses is effective or not. On one hand, this would only protect the victims during their connection to our networks. On the other hand, the legitimate purpose of Adups FOTA is to deploy (security) updates to the users, which should not be prevented. We all agreed that it was necessary to inform the owners of affected devices. Therefore, SWITCH-CERT reported all sightings of Adups affected devices to the IT security staff of the concerned organizations, so that they could get in touch with the victims and provide appropriate guidance depending on the type and amount of cases. This is the tricky part: should we recommend users to update to FOTA version 5.5? Should they disable the service or better get rid of the smartphone? But then, which manufacturer should they turn to for a replacement? How can one assert the trustworthiness of a given device?

Unfortunately, we cannot provide absolute answers  to these questions. As seen in the analysis, the Adups backdoor was by far not designed to operate in the shadows. And yet it managed to subsist for years. Certainly there are  other backdoors in the wild optimized for  stealthiness that we have yet to reveal. The Adups case is a reminder that all technologies are double-edged: the advent of smartphones came as a revolution in telecommunications with great benefits; on the other hand, they also bear high risks to the privacy of their users.


%d bloggers like this: