In July hackers from around the world flocked to Las Vegas, Nevada for a week of hacker conferences which include Black Hat, DEFCON, and BSides Las Vegas. Every year vulnerabilities are exposed at these conferences. This year at Black Hat, it was revealed in a talk given at the conference that some of the most popular and affordable smartphones were spying on users and their devices. The BLU R1 HD, an ad supported smartphone that is offered exclusively through Amazon Prime, was discovered to be transmitting information about the user and their phone to servers located in China. The BLU R1 HD currently sells for $99 on Amazon, however in the past the device has been offered at prices as low as $50. It is the top selling smartphone available on Amazon. Another similarly priced smartphone that was found to be compromised was the BLU Life One X2. Amazon was not the only retailer selling compromised devices, as other major American retailers such as BestBuy were also selling smart phones that also transmitted user data to third party Chinese servers, such as the BLU Grand M which is priced between $60-75.
Researchers from Kryptowire delivered their talk at Black Hat USA 2017 on Wednesday July 26th entitled “All Your SMS & Contacts Belong to Adups & Others”. Kryptowire is a contractor for the United States’ Department of Homeland Security, although their research on the Adups backdoor was unrelated to their work for the Department of Homeland Security. The Chinese company responsible for the backdoor is Shanghai Adups Technology. In late 2016 it was discovered that smartphones made by BLU were contacting the Chinese servers. At the time an attorney based in California who was representing Adups claimed that the company had simply “made a mistake.” The CEO of BLU also claimed that the problem had been resolved and that none of their devices were communicating with the Chinese servers anymore.
However, despite the claims from Adups and BLU, the researchers at Kryptowire discovered that Adups’ software was still transmitting data to third party Chinese servers without the knowledge of the user, only now the company was doing more to obscure what it was doing. Kryptowire researchers said that they had witnessed three different smart phones which were still communicating with a command and control server in China that is operated by Adups. Ryan Johnson of Kryptowire told CNET that Adups’ backdoors were replaced “with nicer versions,” and stated that he had “captured the network traffic of them using the command and control channel when they did it.” The Adups backdoor allowed the company to run commands, install and delete apps, take screenshots, record calls and texts, and even wipe the device all without permission from the user. It would also send device identifiers such as the MAC address, IMSI, IMEI, and the serial number. It could track a user’s location through information obtained by local cell phone towers.
During their research, Kryptowire examined the firmware of over twenty cheap smartphones. All of the devices they examined were vulnerable and contained a MediaTek chipset. The MediaTek chipset ships with an application called MTKLogger. These devices were vulnerable to having browser history and GPS location spied on. Like Adups, MediaTek claimed late last year that they had resolved this issue, however, Kryptowire discovered that the BLU Advance 5.0 was being sold with MTKLogger still installed. BLU Advance 5.0 also happens to be the third most popular smartphone available on Amazon. It does not allow for users to update the firmware.
Another cheap Chinese phone, the Cubot X16S, was also determined to have the same privacy issues. Two other major Chinese smartphone manufacturers, Huawei and ZTE, have also been accused of selling Americans phones that are compromised with backdoors. Adups also happens to provide software to Huawei and ZTE. In recent years, the United States House of Representatives’ Permanent Select Committee on Intelligence investigated the two companies over claims of backdoors being installed on the devices they were selling. Kryptowire researchers claimed they did not find any of Adups backdoors on smartphones which sell for over 300 dollars, as Adups mainly supplies software to companies which produce more affordable smartphones. The researchers at Kryptowire are not sure what is being done with the data that is sent to the servers Adups controls.