Kryptowire traced the transmissions of personal data to Shanghai Adups Technology Co. Ltd — a maker of Firmware Over The Air (FOTA) update software systems.
On its website Adups says it has more than 700 million active users and a market share of more than 70 per cent across 200+ countries and regions, with its FOTA systems integrated into more than 400 mobile operators, semiconductor vendors, and device manufacturers — spanning mobiles, wearables, cars and televisions.
In an interview with the NYT, a lawyer representing Adups said the firmware functionality was built at the request of an unidentified Chinese client who intended it to be used to combat spam text messages and for customer support. Although the paper notes US authorities aren’t ruling out the possibility it might have been a Chinese government effort to collect intelligence on US mobile users.
Adups claims to have deleted all accidentally harvested data since Kryptowire contacted it. While BLU’s CEO also tells the paper its phones are no longer harvesting data. Some 120,000 of the smartphones had apparently been affected prior to it pushing an update to kill the firmware’s monitoring.
Kryptowire notes the software and behavior of the firmware bypassed detection by mobile antivirus tools since they assume the software that ships with a device is not malware — and therefore whitelisted it.
The harvested data was encrypted by Adups in transit but Kryptoware was able to identify the encryption key during its analysis, and decrypt text message content — providing a sample text message which reads: “Be there in 5”.
Its analysis also found data transmissions varied depending on the data type, occurring every 72 hours for text messages and call log data, and every 24 hours for other personally identifiable information. It also identified additional functionality in how Adups’ server responded — enabling the monitoring system to support searching for a particular phone number or keyword used within a message.
Kryptoware argues the findings bolster the case for “more transparency at every stage of the supply chain”. It has reported the firmware analysis to the US government, which is now looking to identify “appropriate mitigation strategies”, working with public and private sector partners.