Backdoor to Chinese firmware of Android smartphone, send information to Chinese server

Backdoor to Chinese firmware of Android smartphone, send information to Chinese server

  • By huaweicomputers
  • 13/05/2022

Kryptowire, a security analysis tool provider separated from the US Defense Advanced Research Projects Agency (DARPA), said on the 15th (local time) that a backdoor is installed in a Chinese smartphone using firmware developed by Shanghai ADUPS Technology. Announced.

Shanghai ADUPS Technology is a leading Chinese company that provides Firmware Over-The-Air (FOTA) update services. It is developing a cloud-based service, and smartphones incorporating the firmware developed by the company have the function of updating the firmware via the Internet. It is said to be collaborating with many device manufacturers, mobile operators and semiconductor companies around the world.

According to Kryptowire, smartphones with this ADUPS firmware will collect user location information, user call history, contact information, text messages entered, etc. and send them to a server in China every 72 hours. It was said that it was. Functionally, it's similar to Carrier IQ, which became a problem in 2011, but with firmware update and remote app update / install features, but no keylogging or email address collection.

Androidスマホの中国製ファームウェアにバックドア、中国サーバーに情報を送信

The user's text message sent is encrypted with DES, but Kryptowire found the encryption key and succeeded in decrypting the message.

This problem was discovered by one of Kryptowire's office workers who purchased the BLU Products smartphone "BLU R1 HD". However, ADUPS firmware has also been adopted by manufacturers such as Huawei and ZTE, and it is estimated that the number of shipments will reach 700 million units, and there is a potential problem.

In response, Shanghai ADUPS Technology issued a statement on the 16th (China time). I admitted that the ADUPS firmware collects model information, device status, application information, bin / xbin information, and various other information. But these are to make sure that the right updates and services are being delivered to the right device. In addition, multiple encryptions are applied for transfer to ensure the security of data. Since the establishment of the company, it has been strictly protecting the privacy of users.

On the other hand, the purpose of collecting text messages and call history is to improve the user experience with unsolicited emails such as advertisements and unsolicited phone numbers that are not in the user's contact information. These are said to have been provided in a customized version.

And some BLU products have enabled the ability to collect this junk e-mail and nuisance calls, but at the request of another ADUPS customer, they accidentally implemented it. ADUPS updated its products for BLU and immediately removed these features. These products have passed Kryptowire testing and have been approved by both Google and BLU.

In the future, it aims to further improve in order to protect the privacy of the product.