There seems to be an uptrend in potential spyware being delivered or discovered on devices that originate from China. Malwarebytes recently reported on a variant of a Trojan from Adups that was pre-installed on phones that were government funded in the USA. This story was later picked up by Forbes.
The malware in question was identified as:
Malwarebytes reported how malware known as HiddenAds was added to the device throwing up aggressive advertising on the infected phone.
Adups has previous history with regards data violations including in 2015 when they were discovered to be installing apps on Micromax Android devices without permission.
So what is Adups and why is it used and installed on so many devices ? Adups provides a component which enables smartphone vendors to provide a firmware-over-the-air (FOTA) update of their custom phone software . The FOTA is provides a means for phone vendors to update their code, but Adups also has the ability to ship updates to users’ phones, bypassing not only the smartphone vendors but also users.
In addition to low end budget devices people who procure innovative devices from funding platforms such as Kickstarter and Indiegogo may also find that the software on the device may include such an Fota.
The Cosmo Communicator appears to have a problem with its Fota and the Gemini and Cosmo group on Facebook shows that users are of course concerned about this and are awaiting assurances from Planet Computers, the phone vendor.
Similarly the Unihertz Titan uses Adups for its Fota and its own Facebook user group again voices concern. Adups provided Unihertz a certification statement outlining that they are using an updated version of their component that is not as invasive as the version that has previously been reported but this is akin to letting the Fox advise on security for the Hen house.
The issue is of course that such components have system privileges and as such could be updated without user interaction. There is an excellent post on the Wuffs.org blog for those who want more technical details on Fota backdoors and the same blog goes into even more forensic detail on its finding regarding the Cosmo Communicator. The follow up and continuation of these blog posts can be found on the Open Embedded Software Foundation (OESF) forum.
There appears to be a direct dichotomy between the thirst for ever more cheap innovative tech devices and end user privacy that does not appear it will be solved any time soon, particularly when the real riches are in the private user data and not the actual devices.