Kryptowire Provides Technical Details on Black Hat 2017 Presentation: Observed ADUPS Data Collection & Data Transmission

FAIRFAX, Va.--()--After our initial findings about mobile device data transmission in November 2016, Kryptowire analyzed different mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties. As part of this effort, we presented our findings in the briefings section of Black Hat USA 2017. We decided to provide more technical information to clarify press reports and to help others identify additional devices that might be affected. We stand by our findings because we have clear forensic evidence, both in terms of code and in terms of network traces, to support them.

We can provide additional information to any interested parties upon request.

Manufacturers that believe their devices may be affected can contact oem@kryptowire.com for additional information.

Consumers that believe their devices may be affected can refer to the manufacturer warranty or retailer terms of purchase for more information.

       
   
Model Cubot X16S
 
Date Tested May 2017
 
Data Collected Browser history, call log, text message metadata (phone number with timestamp), IMEI, IMSI, Wi-Fi MAC Address, list of installed applications, and the list of applications used with timestamps.
 
Build Fingerprint CUBOT/full_hct6735_65u_m0/hct6735_65u_m0:6.0/MRA58K/1476178691:user/test-keys
 
Build Date

October 11, 2016, 17:45:54 CST

 
Exfiltration Apps com.adups.fota (version name = 5.2.1.1.002 and version code = 23) and com.adups.fota.sysoper (version name = 5.0.6 and version code = 506)
 
App Locations on Device /system/app/AdupsFota/AdupsFota.apk and /system/app/AdupsFotaReboot/AdupsFotaReboot.apk and /system/app/AdupsFotaReboot/oat/arm64/AdupsFotaReboot.odex
 
SHA-256 of AdupsFota.apk d66b45f4a132a39a98f7817ad37a687f161d2088fe41966debe9754747258972
 

SHA-256 of AdupsFotaReboot.apk

66795104d929ccba30081cc21bffaa57cdbf0ed88fd053b89a174ddc7e4bd36f
 

SHA-256 of AdupsFotaReboot.odex

daa61ebfa17fee5fdb9021ddcf2c74d2059f70f2fbb3f530cfd43eb712329650
 
Command and Control Channel URL http://rebootv5.adsunflower.com/ps/fetch.do
 
Primary Exfiltration URL https://bigdata.adups.com/fota5/mobileupload.action
 
Secondary Exfiltration URL https://push5.adups.com/dm/pushInterface.do
 
Server Location based on GeoIP2 Jiangmen, Guangdong, China, Asia and Beijing, China, Asia.
 
Capable of Text Messages Exfiltration The application contains code that will exfiltrate the body and number of text messages if triggered by a network command. The network command is received from the following URL: https://bigdata.adups.com/fota5/msgInter.action
 
       
   
Model BLU Grand M
 
Date Tested May 2017
 
Data Collected Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, list of installed applications, and the list of applications used with timestamps.
 
Build Fingerprint BLU/Grand_M/Grand_M:6.0/MRA58K/1481082286:user/release-keys
 
Build Date Thu Dec 22 20:13:01 CST 2016
 
Exfiltration App com.data.acquisition (version name = 3.1.0.310 and version code = 310)
 
App Location on Device /system/app/Fire/Fire.apk and /system/app/Fire/oat/arm/Fire.odex
 
SHA-256 of Fire.apk b7474ec86d9e7e60f4c6d4a6eb0aa368f713f3a78456e5dd234a1a9c3270ee07
 
SHA-256 of Fire.odex 2fb1b9f9c718014a19af3ad36943b6295821047dc819daa88cda91f77a542702
 
Primary Exfiltration URL http://bigdata.advmob.cn/fire/mobileupload.do
 
Secondary Exfiltration URL http://bigdata.advmob.cn/fire/activeUserInter.do
 
Server Location based on GeoIP2 Jiangmen, Guangdong, China, Asia
 
       
   
Model BLU Life One X2
 
Date Tested May 2017
 
Data Collected Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, list of installed applications, and the list of applications used with timestamps.
 
Build Fingerprint BLU/Life_One_X2/Life_One_X2:6.0.1/MMB29M/1477622278:user/release-keys
 
Build Date Fri Oct 28 10:37:58 CST 2016
 
Exfiltration App com.data.acquisition (version name = 3.1.0.310 and version code = 310)
 
SHA-256 of Fire.apk aae9eb662ecba4324c860af55c058164e2974cbd5e8ab16eaba7c58c2d2bbec7
 
SHA-256 of Fire.odex 4df9bd8f879dc199035fd22a35dacb24b1f9825fa6dee755bda913e74ab4e369
 
Primary Exfiltration URL http://bigdata.adsunflower.com/fire/mobileupload.do
 

Secondary Exfiltration URL

http://bigdata.advmob.cn/fire/activeUserInter.do

 

Server Location based on GeoIP2

Jiangmen, Guangdong, China, Asia and Asia and Beijing, China, Asia
 
       
   
Model BLU Advance 5.0
 
Date Tested July 2017
 
Vulnerabilities Command execution as the system user (com.adups.fota.sysoper) and logging capabilities that can be used by third-party apps co-located on the device due to an old version of MTKLogger (com.mediatek.mtklogger). These vulnerabilities have been left unaddressed since late 2016.
 
Data Collected N/A
 
Build Fingerprint BLU/BLU_Advance_5.0/BLU_Advance_5.0:5.1/LMY47I/1458805524:user/release-key
 
Build Date Thu Mar 24 15:48:00 CST 2016
 
App Locations on Device /system/app/AdupsFotaReboot/AdupsFotaReboot.apk and /system/app/MTKLogger/MTKLogger.apk
 
SHA-256 of AdupsFotaReboot.apk 0ddd165222e999081b2fc0e5b479c4db17ac322838011108ba30be4b957db4fd
 
SHA-256 of MTKLogger.apk 6a8f0d8014629b5bd7f0203a001d1d44de3b3f4d0030d3f13990a7ed2feb271a
 

About Kryptowire

Kryptowire automatically tests and validates the security of mobile and IoT firmware and applications to the highest government and industry software assurance standards. Kryptowire was jumpstarted by the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS) in 2011, is based in Fairfax, Virginia, USA and has a customer base ranging from government agencies to national cable TV companies. For more information, visit www.kryptowire.com.

Contacts

Kryptowire
Tom Karygiannis, VP Product
+1 202-531-6420
media@kryptowire.com
Follow @kryptowire

Release Summary

Kryptowire stands by its findings on the observed ADUPS personally identifiable data collection & transmission in a number of mobile devices.

Contacts

Kryptowire
Tom Karygiannis, VP Product
+1 202-531-6420
media@kryptowire.com
Follow @kryptowire