26 January 2018
Today what we are about to share will be surprising for all our readers. As per the latest report from security firm Kryptowire, millions of affordable Chinese smartphones including Blu smartphones were collecting users’ data and sends them the backdoor to servers in China without users’ permission.
The backdoor channel is revealed by Kryptowire, they reveal the potential threat which already affected millions of users around the globe. The backdoor software is developed by Chinese software development company Adups and still we are unaware how many million devices are affected with this software. This software copies users contact list, call details, personal info, and text messages and sent it to Adups server after every 72 hours.
According to Kryptowire, the Adups can easily install apps on the affected device without the consent of user which means all important info of users data were copied by this software.
Kryptowire spokesperson releases a statement:
These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices... The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information.
Apparently, the Adups firmware was used by manufacturers to roll out the OS update. As per Adups website, up till now, they worked with around 400 companies and most of them are smartphone builders.
The Kryptowire claim that nearly 700 million devices around the globe have Adups software. Although majority smartphone manufacturers clients of this company are local but ZTE is amongst one of the biggest company on their list.
Recently Adups released a statement to New York Times, in which company’s Attorney Lily Lim mentioned that this kind of software was indeed created for a local Chinese smartphone manufacturer who wanted to better serve their customers by knowing their details. The Adups didn’t reveal the name of manufacturer nor give details regarding a number of affected devices.
The Kryptowire found the affected software on BLU products and they are sure there is at least one another manufacturer who sold devices with this backdoor software. The Blue is a Florida based company who is selling the smartphone in the US exclusively via Amazon. Soon after finding the bug, the BLU is informed who removed the Adups backdoor software which affected nearly 120,000 devices of BLU. The BLU Products statement:
“BLU Products has identified and has quickly removed a recent security issue caused by a third-party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices, Our customer’s privacy and security are of the upmost (sic) importance and priority. The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.”
The tech giant, Google also appreciated the Kryptowire’s findings and stated they are working with affected parties to resolve the issue of this affected software. Google is also unaware how much Adups software is been distributed. Google stated:
“We appreciate Kryptowire’s work to help keep mobile users safe,” a Google spokesperson said in a statement. “We have been in close contact with the various companies Kryptowire mentions in their research, we’re helping them take any appropriate actions, and we’re exploring any additional technical solutions we can offer as well. None of the information that was leaked in the issues described by Kryptowire was collected by Google.”
The Amazon is quick to stop selling the affected Blue R1 HD smartphone and sent out emails to customers and confirmed a software update from Blu is on its way which will resolve the issue of back-door spying software.