Your Android could be sending messages to China

A pre-installed backdoor on more than 700 Android devices transmits data to a server in China every 72 hours.

A pre-installed backdoor on more than 700 Android devices was discovered by Kryptowire. The backdoor allows a Chinese company called Adups to transmit information like text messages, contact lists, and IMEI numbers without users’ knowledge or consent – every 72 hours.

App logo.png

What this backdoor does is to collect all the data that it wants into an archive named source.zip.

Analytics report Adups.png

The archive above includes data like the application list (DcApp.json), message list (dc_msg_key.json), the user call log list (DcTellMessage.json) and other information from users' devices.

It uploads the archive to the server: bigdata.adups.com/mobileupload.action.

Adsup server.png

Devices affected

The main devices affected in the US are phones from Blu Products, which are sold on Amazon and Best Buy. Other devices include some pre-paid and disposable phones, but the backdoor mainly affects Chinese Android owners. Adups admitted that this version of their software was not supposed to be shipped out on American devices, but to help phone manufacturers monitor Chinese user behavior.

Avast helps you find out if you are affected

The application that includes the backdoor is an app called Wireless Update, which checks for firmware updates. Blu Products has issued a statement saying the application has been self-updated and that information is no longer being transmitted to Adups.Wireless Update.png

However, other devices could still be transmitting information. While neither you nor Avast can remove or disable the backdoor, Avast Mobile Security detects if the backdoor is present. If Avast Mobile Security detects the backdoor, it is up to you if you want to continue using your phone or if you want to get in touch with your phone’s manufacturer, who can hopefully issue a patch.

This is a good example of how complex Android security is, because of its many layers and all the different players involved.

This backdoor is being detected by Avast as Android:SMForw-ZK [Trj] and Android:SpyAgent-YG [Trj]

--> -->