LAS VEGAS– Shanghai Adups Technology was roundly criticized Wednesday during a Black Hat session for continuing to use spyware called Adups on at least two Android handset makers’ phones. Researchers said the company was still collecting personal identifiable information without user consent despite coming under fire for practice last year.
Ryan Johnson, research engineer and co-founder of Kryptowire, who was part of the original team that found the spyware, told attendees that firmware-updating software used by phone manufacturers called Adups was still sending user data back to the company’s Chinese-based servers as recently as May.
Last year, Kryptowire reported that popular low-cost Miami-based phone manufacturer Blu Products was using the firmware updating software called Adups on several model phones. What researchers discovered was that for years the Chinese firm Shanghai Adups Technology was surreptitiously collecting user data from Blu handset models R1 HD and Life One X2.
Personally identifiable information collected and sent to servers included owners’ full-body of text messages, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity, serial number, Media Access Control address, and the International Mobile Equipment Identity.
Adups claims on its website 700 million devices, including cars and other connected devices, use its software.
“At the time when I found it they were getting all this stuff – text message, call log, GPS location – then they rolled that back,” Johnson said. “But in May I found that Adups was still collecting PII.”
That was despite efforts by Google and Blu who worked with Adups last year to limit data collected and exfiltrated from phones.
When confronted in November 2016, Shanghai Adups Technology said the data collection was a mistake, according to Johnson’s correspondence with the company. However, he said, while Adups has significantly scaled back the amount of data collected from users, it is still collecting data that it shouldn’t on some Blu model phones. On the Blu’s Grand M model phone, Johnson said, Adups is still collecting cell tower IDs, list of installed applications, the user’s International Mobile Subscriber Identity and SIM serial number.
Kryptowire researchers also said a second Chinese handset manufacturer Cubot is also continuing to use the Adups firmware software and collecting data without the consent of its users. On Cubot X16S model phones Adups is also collecting cell tower IDs, list of installed applications, the user’s International Mobile Subscriber Identity and SIM serial number in addition to mobile browser history.
Cubot phones are popular in a Chinese Europe, Africa, South America and Asia. Blu Product phones are widely sold in the United States at retail locations Best Buy and Walmart. According Johnson, Blu phones are the number one unlocked phone sold via Amazon.
“There is no legitimate reason for Adups to be tracking user browser histories, never mind all the other data,” Johnson said.
In both cases data is sent back to Adups servers. According to Johnson, who tested the Cubot X16S’s software on Monday, Adups has now stopped collecting and sending data back to servers.
Still, Johnson pointed out with Shanghai Adups Technology retains the ability to execute commands on millions of phones with its software. “If it wanted, it could install apps, take screenshots or wipe handsets without needing ask for the user’s permission,” he said.