Mobile application security company Kryptowire has just disclosed a pre-installed backdoor on more than 700 Android devices. The backdoor transmits data to a server in China every 72 hours.
The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.
The backdoors enables a Chinese company, Adups, transmit information such as text messages, contact lists, and IMEI numbers (International Mobile Equipment Identity numbers). The data transmission is done without the user’s knowledge or consent.
The Adups backdoor collects the information and puts it into an archive – source.zip.
The most affected devices are found in the U.S. and are phones from Blu Products, such as BLU R1 HD. They are sold on Amazon and Best Buy. Some pre-paid and disposable phones are also affected. However, the company says that the backdoor endangers the PII of Chinese Android users.
The Chinese company says that this version of their software wasn’t meant for American devices. Its main purpose was to help phone manufacturers monitor the behavior of Chinese users.
Related: Acecard, Android Trojan and Phishing Tool Targets Over 30 Banks
Kryptowire’s findings “are based on both code and network analysis of the firmware.” As already mentioned, the user and device information was collected automatically and transmitted every 72 hours without the users’ consent or knowledge. The data was also encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai, Kryptowire says.
Unfortunately, this behavior is bypassed by the detection of mobile anti-virus tools. The latter presumes that software that ships with the device isn’t malicious, so it is white-listed.