July 1, 2017

All Your SMS and Contacts Belong to ADUPS and others

by Ryan Johnson, Angelos Stavrou, Azzedine Benameur

Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China - without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD and the BLU Life One X2. These devices actively transmitted user and device information including the full-body of text messages, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI), serial number, Media Access Control (MAC) address, and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely-defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device,