Chinese Planted Spyware on Massive number of Android Phones

The The New York Times, under the scary headline “Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say,” reported that Kryptowire security researchers reported that a Chinese firm Shanghai Adups Technology Co. Ltd has planted software on hundreds of thousands of Android devices and is siphoning off phone data. It did this at the request of an unnamed Chinese manufacturer, they said.

The NYT wrote, “Security contractors recently discovered pre installed software in some Android phones that monitors where users go, whom they talk to and what they write in text messages.”

This is the worrying part: “... this case is exceptional. It was not a bug. Rather, Adups intentionally designed the software to help a Chinese phone manufacturer monitor user behavior …”

This news was broadcast on November 15. So far the US Department of Homeland Security has said it will post a bulletin, but it has not yet. Regarding Europe, it seems that this spyware might have been only intended for the Chinese market but ended up on BLU phones sold in the USA through Amazon and Best Buy by mistake. There is no news so far of this spyware being on phones in Europe or anywhere else besides China and the USA.

The software is transmitting text messages, calls logs, and other private data on hundreds of thousands of phones to a server in Shanghai, China. It is doing that right now. The situation is made worse because there is no way to know which phones are affected, in most cases.

The Adups company provides software to the Chinese cell phone manufacturers Huawei and ZTE and the American firm BLU. BLU has removed the software and told Adups to destroy all the data it collected after. Adups has not produced a list of what phones are affected meaning we do not know which Huawei or ZTE models have this spyware. Neither of those companies have produced that list yet either. ZTE said, “No handsets sold in the US have ADUPS.” Again, the do not mention any other country.”

Phone manufacturers are free to make small changes on Android devices. So where to go to look for information about the firmware will be in different places on different phones. On the BLU devices you can see if your phone has that spyware by going to Settings > Apps > Show System > Wireless Update.  The affected versions are 5.0.x to 5.3.x.

adups spyware

On other phones there is no way to know whether Adups is there or not. The only way to know would be to wait for news from the manufacturers or other security researchers.

The Adups software lets phone manufacturers update their firmware over-the-air. They also provide big data services to manufacturers for reasons of customer support, which is their excuse for vacuuming up this information. They said the software was installed to help manufacturers and carriers to filter out spam messages.

The NYT speculated that installing that software might have been a condition imposed to allow those firms to do business in China. China often does that to domestic and foreign businesses.

A Kryptowire researcher discovered this accidentally when he bought a cheap phone, the BLU R1 HD. He checked and noticed that it was sending out lots of data to IP addresses that should not have been there.

Kryptowire has published its report here. They say, “These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).”

adups notice

The spyware can be programmed to look for particular keywords too, such as would interest Chinese intelligence, and individual users, such as persons who are criticizing China. China has been rough with its citizens, and those in Hong Kong, who have criticized the government.

So this is obviously a developing story and there will be more news to come. In the meantime Android users will just have to look for any updates from Huawei and ZTE. Adups targets the low end Android market so presumably Samsung devices are not affected. Samsung is a Korean firm.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal