blu-r1-hd

Android Phones Found To Have BackDoor To China

Andrew Orr In the News

Security researchers discovered that some Android phones have a secret backdoor that sends user information back to China.

Further Reading

New Android Malware Called Dirty Cow Can Root Phones

Android Users Get New Security Notifications

What Is A BackDoor?

A backdoor is a secret method that a hacker uses to enter a computer. These provide remote access (usually unauthorized). As a result, a person can hide it in a program, a separate program or even a piece of hardware. Some backdoors are legitimate, like when a company uses one as a way to restore user passwords. Consequently, a default password could be thought of like a backdoor if a person never changes it.

An example of a hardware backdoor is the Clipper chip. The NSA created the Clipper chip in 1993 as an encryption device with a built-in backdoor. At first, telecommunication companies were going to use it for voice transmission. Ultimately, the project ended in 1996 with no further development.

Image credit: Crypto Museum

A Clipper Chip | Image credit: Crypto Museum

Android Phones

Only certain models of Android phones by the manufacturer BLU Products have the backdoor. It turns out that a Chinese company called Shanghai Adups Technology Company wrote it. BLU found that the exploit affected 120,000 of its phones, and released a software update to remove it.

The security company that discovered it – Kryptowire – said that the backdoor transmitted the full contents of text messages, contact lists, call logs, location information and more to a server in China. Tom Karygiannis, vice president of Kryptowire, said the backdoor came preinstalled on these phones.

“Even if you wanted to, you wouldn’t have known about it.”

AdUps designed the backdoor to help a Chinese phone manufacturer monitor the behavior of its users. But it didn’t intend the software for American phones. From a country known for its “Great Firewall,” this surveillance doesn’t come as a surprise.

Image credit: Kryptowire

Image credit: Kryptowire

Code

Kryptowire researchers found the backdoor hidden in two system applications:

  • com.adups.fota.syoper
  • com.adups.fota

Users can’t remove or disable either of these apps. The smartphone they examined was the BLU R1 HD. Upon discovering the backdoor, Kryptowire immediately alerted Google, AdUps and Amazon. Amazon is the sole distributor of this particular model. The server domains that the backdoor sent information to:

  • bigdata.adups.com (main server)
  • bigdata.adsunflower.com
  • bigdata.adfuture.cn
  • bigdata.advmob.cn

All of these domain names resolved to the IP address 221.228.214.101, which belongs to AdUps. Before the phone transmits user info, it checks in with a remote server using a REST API. The REST API ensures the phone collects the right info. An example of a check-in response:

{
    "json": {
        "keys": [
            {
                "given": "0",
                "keyword": "",
                "type": "1"
            }
        ],
        "poll_cycle": "24"
    },
    "md5": " B865B089A298D529B4602A3D359FE4C8"
}

The service encrypts each user’s text messages using Data Encryption Standard (DES). Researchers were able to recover the encryption key, however. Each phone sent text messages back to the server every 72 hours, while other data had a schedule of 24 hours.

Conclusion

A spokesperson for BLU Products made a statement, saying:

“BLU Products has identified and has quickly removed a recent security issue caused by a third-party application…our customers’ privacy and security are of the upmost [sic] importance and priority…”

Google also issued a statement saying that it’s working with all parties to fix the problem. However, the company doesn’t know how widely AdUps spread the vulnerability. Lily Lim, a lawyer representing AdUps, said that the company intended the backdoor to help them identify junk messages and calls. Aside from the particular BLU phone model, AdUps hasn’t revealed a list of all phones that the backdoor affected.