BLU R1 HD Android smartphone

Security researchers from Kryptowire have found a secret backdoor in the firmware of many Android smartphones sold in the US, which covertly gathers information on phone owners and sends it to a server in China.

According to Kryptowire, the server belongs to a company named Shanghai Adups Technology Co. Ltd., which manufactures and sells a FOTA (Firmware Over The Air) update software system, included with many Android OEMs with their devices.

This malicious FOTA update system behaves just like any backdoor trojan, contacting the Chinese company's server and asking for instructions. Based on the received commands, it can execute multiple operations, detailed below:

Collect and send SMS text messages to the Chinese server every 72 hours

Collect and send call log information to the Chinese server every 72 hours

Collect and send user personally identifiable information to the Chinese server every 24 hours

Collect and send the phone's IMSI and IMEI identifiers

Collect and send geo-location information

Collect and send a list of applications installed on the user's device

Download and install applications without the user's consent or knowledge

Update or remove apps

Update the phone's firmware and reprogram the device

Execute remote commands with elevated privileges on the user's device

According to Kryptowire the backdoor is found inside two system applications that users can't disable or remove. Their names are:

com.adups.fota.sysoper

com.adups.fota

On its website, Adups brags that its firmware runs on over 700 million Android devices, but it's unclear how many of these run the FOTA update system.

Security researchers say they've found the backdoored FOTA update system in the firmware of the popular BLU R1 HD smartphone.

For the majority of cases, mostly low-end budget Android models are affected, mostly used as disposable phones. These devices can be found on sale on Amazon and BestBuy.

Adups case similar to the Carrier IQ incident

Kryptowire is a DHS security contractor, but they discovered the security flaw outside their government contracts.

Their discovery about Adups' business practices is similar to the 2011 case of Carrier IQ, another smartphone software vendor.

In 2011, security researcher Trevor Eckhart discovered that smartphones running Carrier IQ software included a rootkit that allowed the software to capture keystrokes.

The software never sent the captured data to Carrier IQ servers. The FTC started an investigation, and several mobile carriers sued the company. Kryptowire says it notified the US government about its findings.