Adups FOTA collected phone data
BLU devices shipped with ADUPS FOTA software that collected text messages, call logs, contacts, location, and app data. The update provider became a built-in surveillance channel.
Story
ADUPS was hired to do firmware-over-the-air updates. BLU directed manufacturers to preinstall ADUPS software on phones sold through major retailers. The update channel was trusted by design: it lived in the system image and did work normal users could not inspect or remove.
Kryptowire found the behavior on a BLU R1 HD in 2016. The ADUPS packages com.adups.fota and com.adups.fota.sysoper collected the contents of text messages, call logs, contacts, location, device identifiers, and installed-application data. The collection ran silently and sent data to ADUPS infrastructure in China.
The FTC later alleged that this was not needed for updates. Its complaint said ADUPS transmitted text messages every 72 hours and real-time location data every 24 hours, and that BLU failed to vet and oversee the service provider. BLU publicly said ADUPS had updated its software after the report, but the FTC alleged ADUPS continued to operate on older devices without adequate oversight.
The case sits at the boundary of supply chain and surveillance. The software was not a rogue typo package or malware added after shipment. It was an official third-party firmware component distributed through device manufacturing and update paths. That made the blast radius large, quiet, and hard for users to correct.
Affected Artifacts
- Observed
- 2015-01-01 to 2016-11-15
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- md5:beca89b7a9a52d39cc2c342e8886ce7a
- sha256:c7ee90a0531637778796a53d6c259ac10f0375f150b13d995ac92064517a5a7b
- Evidence
- distribution: adups.com/download/fota-client-5.0.1.apk, distribution: files.adups.com/fota-client-5.3.0.apk, pkg://android/com.adups.fota, pkg://android/com.adups.fota.sysoper , +17 more
- Start date is approximate; FTC guidance says BLU directed manufacturers to preinstall ADUPS software since at least 2015.
- Public reporting and the FTC centered on BLU devices; broader reporting said ADUPS software had a very large global device footprint, not all of which is proven to have collected the same data.
- Affected ADUPS FOTA scope was reported around versions 5.0.x through 5.3.x on various Android devices, including BLU R1 HD.
Incident Context
- Motive
- Data Collection
- Attribution
- Company
- Cause
- Vendor Deliberate Inclusion
- Transitive
- No
- Actor
- Shanghai ADUPS Technology
- User Impact
- 700000000
External References
- Lesson of BLU: Make the right privacy, security calls when working with service providersftc.gov
- Mobile Phone Maker BLU Reaches Settlement with FTC over Deceptive Privacy and Data Security Claimsftc.gov
- BLU Products and Samuel Ohev-Zion, In the Matter offtc.gov
- Over 700 Million Android Smartphones Secretly Sending Users' Data to Chinathehackernews.com
- These Android Phones Could Be Affected by Adups' Chinese Spywareandroid.gadgethacks.com
- Firmware Vulnerabilities in Android Devicesus-cert.gov
- BLU Confirms Security Issue, Patches Devicesphonescoop.com
- BLU Products privacy statementbluproducts.com
Source record: proprietary/adups/meta.yaml