Update 20th December:

ZTE USA has issued an official statement assuring customers that no devices in the USA have ever had Adups software installed on them, and never will in the future. So there’s no risk of ZTE customers in the US witnessing the same type of data theft that happened to BLU handset owners. Here’s the statement:

“We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.”

To reiterate, the research only suggests that ZTE handsets in China have ever had Adups’ OTA software installed on them, and the same goes for other manufacturers on the list unless otherwise specified. We’ll keep you informed if any other manufacturers release statements on the matter.

Original:

A few weeks ago, local US smartphone manufacturer BLU was caught out unintentionally sending sensitive user data to Adups, a data farming company in China. Unfortunately it appears that this might not be a one off event, as some larger global manufacturers have been spotted using the same unsecure software. According to research conducted by mobile security firm Trustlook, a range of other manufacturers, including notable brands Lenovo, Gionee, and ZTE, have been using software from the same company and their own consumers may be affected.

For a refresher, Adups software is used to provide over-the-air firmware updates for hundreds of companies and also acts as a data collector to build a database for spam text prevention. Some smartphone OEMs choose to pick Adups instead of the OTA alternative for Android provided by Google, which isn’t bad in and of itself. However, the software package was caught out collecting and transmitting sensitive user data without consent, including contact, call, and SMS data, every 72 hours after receiving a modified OTA update. This was initially discovered by Kryotowire researchers monitoring data sent by BLU R1 HD smartphones in the US. BLU never intended to collect this data from consumers and swiftly removed Adups from its phones, but at the time it was also speculated that other manufacturers could also be running the same software with the same risks to consumer data.

Since then, Trustlook has conducted additional research into a wider range of manufacturers and discovered that 43 OEMs have utilized Adups’ Firmware-Over-The-Air (FOTA) technology within the past year. Its research confirms that Adups collects IMEI, IMSI, MAC address, Android version number, and operator information, in addition to the user’s SMS text messages, call log data and contact phone numbers. The researchers have also discovered the identifier (MD5) of 91 additional affected versions of com.adups.fota and com.adups.fota.sysoper applications, which can be used to detect whether a device is affected.

While many of the complicit manufacturers were discovered in China, where Adups is based, the FOTA software has been spotted on All Win Tech smartphones in Taiwan, Archos devices in France, DEXP in Russia, and Prestigio hardware in the Czech Republic. The situation also potentially further affect US consumers, as Lenovo also makes the list accompanying BLU in the US, after Adups software was detected in North Carolina. While BLU is only a small manufacturer, Lenovo is a global Android manufacturer selling devices in every major region, and also owns the Motorola brand which is particularly popular in the US and Europe. Chip manufacturer MediaTek, which is based in Taiwan, is also on the list, and could mean that a larger number of devices are affected. It’s possible that this detection is just the tip of the iceberg.

This revelation contradicts an earlier statement from Adups, which claimed that the surveillance features of its FOTA software were specifically developed for the Chinese market, and that it was unintentionally sent as an update to BLU devices in the US. Even more worryingly, the software has already been shown to execute remote commands with escalated system privileges, and can therefore reprogram devices with OTA updates, as is what happened with BLU. This suggests that the company could switch on data collection for any affected handsets by these manufacturers at any time, if it hasn’t done so already, even without an OEM’s knowledge.

Trustlook’s list of manufacturers who have devices running Adups can be found below.

  • Aaron Electronics
  • Aeon Mobile
  • All Win Tech
  • Amoi Technology
  • Archos
  • AUX
  • Bird
  • BLU
  • Cellon
  • Coship Mobile
  • DEWAV Communication
  • DEXP Digital Experience
  • Eastaeon Technology
  • Electronic Technology
  • Gionee
  • GOSO
  • Hisense
  • Hongyu
  • Huaqin
    Huiye
  • Inventec Corporation
  • Konka Group
  • Lenovo
  • Logicom
  • Longcheer
  • Malata Mobile
  • Mediatek Helio
  • Prestigio
  • Ragentek
  • RDA Micro
  • Reallytek
  • RUIO
  • Sanmu
  • Sprocomm
  • Tinno
  • Uniscope
  • VSUN
  • Water World Technology
  • Wind Communication
  • WingTech
  • Yifang Digital
  • Zhuhai Quanzhi
  • ZTE

Unfortunately this research doesn’t explicitly tell us if these manufacturers are using versions of Adups that are currently transmitting sensitive user data, nor which smartphones are potentially affected. So we don’t know for sure how many of these manufacturers are actually complicit, intentionally or otherwise, in sending what should be confidential user data to Adups.

What also muddies the situation is that although BLU wasn’t aware of the situation on its device, other manufacturers may well be. It’s previously been suggested that shady terms and conditions accepted when setting up a new phone could allow for manufacturers to transfer this type of information with the user’s “consent”. If you are really concerned about the possibility of Adups spying on your messages and other data, it may be wise to steer clear of all of these manufacturers until they clarify the situation.

If you currently own a device from one of the manufacturers on the list, Trustlook has incorporated a test for Adups into its AntiVirus software. Clever marketing, I know. You can download it for free from the Google Play Store. Although there are in-app purchases, annoying notifications, and it’s own privacy policy states that the app will collect app and other data which can be transferred to affiliated companies around the world, including advertisers, sponsors and other partners. That’s all quite typical for free antivirus software these day, but you’re not alone if you think this sounds a bit hypocritical given the circumstances.

Given that BLU was able to quickly remove the offending software from its devices, it will be telling to see how swift and willing other companies act to remove Adups from their phones, if at all. Currently no other manufacturers have admitted to being involved in this data collection fiasco.