A pre-installed backdoor on more than 700 Android devices transmits data to a server in China every 72 hours.
A pre-installed backdoor on more than 700 Android devices was discovered by Kryptowire. The backdoor allows a Chinese company called Adups to transmit information like text messages, contact lists, and IMEI numbers without users’ knowledge or consent – every 72 hours.
What this backdoor does is to collect all the data that it wants into an archive named source.zip.
The archive above includes data like the application list (DcApp.json), message list (dc_msg_key.json), the user call log list (DcTellMessage.json) and other information from users' devices.
It uploads the archive to the server: bigdata.adups.com/mobileupload.action.
The main devices affected in the US are phones from Blu Products, which are sold on Amazon and Best Buy. Other devices include some pre-paid and disposable phones, but the backdoor mainly affects Chinese Android owners. Adups admitted that this version of their software was not supposed to be shipped out on American devices, but to help phone manufacturers monitor Chinese user behavior.
The application that includes the backdoor is an app called Wireless Update, which checks for firmware updates. Blu Products has issued a statement saying the application has been self-updated and that information is no longer being transmitted to Adups.
However, other devices could still be transmitting information. While neither you nor Avast can remove or disable the backdoor, Avast Mobile Security detects if the backdoor is present. If Avast Mobile Security detects the backdoor, it is up to you if you want to continue using your phone or if you want to get in touch with your phone’s manufacturer, who can hopefully issue a patch.
This is a good example of how complex Android security is, because of its many layers and all the different players involved.
This backdoor is being detected by Avast as Android:SMForw-ZK [Trj] and Android:SpyAgent-YG [Trj]
Learn how to keep your eye out for malicious apps.
Avast finds and detects an app that mines the Monero cryptocurrency