Mobile Menace Monday: Adups, old and new

Mobile Menace Monday: Adups, old and new

A newly discovered malicious app is found on China-made mobile devices running the Android OS. This is a baked-in system app used to update the device’s firmware but is found to also steal personal information, among other things. A blog is recently published about this malware by Kryptowire.

Already we have had inquiries on whether we detect Adups or not. The answer to that is I believe we do. You see, the app in question, which goes by the package name of com.adups.fota, has a couple of variants. There is an older version seen around 2014 and a newer version that emerged mid-2016. This older version we detect and have done so since 2014. I can verify that this older version was indeed pre-installed on various Chinese mobile devices bought cheaply on online stores, mainly Amazon. I know this because ever since we started detecting this older version of com.adups.fota, we have received support tickets periodically about why we are detecting a system app that cannot be uninstall—I’ll get to how to address this later.

The new version of com.adups.fota sends the device’s IMEI number, model name, and OS version right away. The older version sends in addition the phone number, IMSI number, Serial Number of the device, and the wireless MAC address as soon as the app checks for firmware updates.

What really sets the older version of com.adups.fota apart is what is found in the unique receiver name, com.adups.fota.base.ServiceReceiver, and the corresponding code files under com.adups.fota.base. Within this code, a backdoor is opened. Thus, we simply call it Android/Backdoor.Agent. This code is not found in the newer versions of com.adups.fota.

adups

It is unclear if what Kryptowire found was in the old version, which has been detected in the mobile anti-malware industry for years, or something new that was overlooked.

I will say this: the capabilities of the Adups app that Kryptowire found have strong resemblance to the behaviors of a malicious backdoor.

Disabling Adups

As stated above, if com.adups.fota is found on your device, it cannot be uninstalled since it is a system app. However, you can disable the app. Simply go into Settings > Apps, find the Adups app (most likely listed as System Update or Wireless Update) to open up its settings. From the Apps settings, you can disable it via clicking the Disable button. Unfortunately, this is the best users can do without rooting the device and/or re-imaging it, which is not something we recommend. But, hey, if you only paid $50 for it and are willing bear full responsibility—we’ll leave the option up to you.

Nathan Collier

ABOUT THE AUTHOR

Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.