Chinese company Shanghai Adups Technology Co. Ltd. enabled the process of installing a backdoor in thousands of Android phones that have been selling through US-based retailers including Amazon. The report comes from Homeland Security contractor Kryptowire, which happened to stumble upon this discovery while inspecting a Blu R1 HD smartphone.
The software sent victims’ text messages and call log information to servers in China every 72 hours. Other personally identifying information was being transmitted once in 24 hours. This was being done without the knowledge and therefore consent, of the users affected by the issue.
Adups has apologized for this ‘mistake’ and noted that the Firmware Over-The-Air (FOTA) update which enabled the illegal data transmission had inadvertently made its way to Blu (company behind Vivo, by the way) products. The software was apparently developed for another client who wanted a way to flag junk texts and calls.
Apart from sending text messages and call logs to Chinese servers, the firmware also transmitted data on International Mobile Subscriber Identity (IMSI), International Mobile Equipment Identity (IMEI) and use of apps on the device being spied upon. But that’s not the only worrying bit.
The software was able to remotely reprogram the affected gadgets by bypassing Android permissions. It also had the capability to target specific users and texts. Adups claims a new FOTA self-update has dealt with the backdoor problem and that all of the collected user information has been destroyed.
However, it hasn’t come forward with a list of products which have been tainted by the issue. Figuring out whether or not a device has been exposed in such a manner is not easy. Even anti-virus tools could not detect the backdoor because it was shipped with the products and therefore considered whitelisted.