[August 02, 2017] |
|
Kryptowire Provides Technical Details on Black Hat 2017 Presentation: Observed ADUPS Data Collection & Data Transmission
After our initial findings about mobile device data transmission in
November 2016, Kryptowire analyzed different mobile devices for
Personally Identifiable Information (PII) collection and transmission to
third parties. As part of this effort, we presented our findings in the
briefings section of Black
Hat USA 2017. We decided to provide more technical information to
clarify press reports and to help others identify additional devices
that might be affected. We stand by our findings because we have clear
forensic evidence, both in terms of code and in terms of network traces,
to support them.
We can provide additional information to any interested parties upon
request.
Manufacturers that believe their devices may be affected can contact [email protected]
for additional information.
Consumers that believe their devices may be affected can refer to the
manufacturer warranty or retailer terms of purchase for more information.
|
|
|
|
|
|
|
|
Model
|
|
|
Cubot X16S
|
|
|
|
|
Date Tested
|
|
|
May 2017
|
|
|
|
|
Data Collected
|
|
|
Browser history, call log, text message metadata (phone number with
timestamp), IMEI, IMSI, Wi-Fi MAC Address, list of installed
applications, and the list of applications used with timestamps.
|
|
|
|
|
Build Fingerprint
|
|
|
CUBOT/full_hct6735_65u_m0/hct6735_65u_m0:6.0/MRA58K/1476178691:user/test-keys
|
|
|
|
|
Build Date
|
|
|
October 11, 2016, 17:45:54 CST
|
|
|
|
|
Exfiltration Apps
|
|
|
com.adups.fota (version name = 5.2.1.1.002 and version code = 23)
and com.adups.fota.sysoper (version name = 5.0.6 and version code =
506)
|
|
|
|
|
App Locations on Device
|
|
|
/system/app/AdupsFota/AdupsFota.apk and
/system/app/AdupsFotaReboot/AdupsFotaReboot.apk and
/system/app/AdupsFotaReboot/oat/arm64/AdupsFotaReboot.odex
|
|
|
|
|
SHA-256 of AdupsFota.apk
|
|
|
d66b45f4a132a39a98f7817ad37a687f161d2088fe41966debe9754747258972
|
|
|
|
|
SHA-256 of AdupsFotaReboot.apk
|
|
|
66795104d929ccba30081cc21bffaa57cdbf0ed88fd053b89a174ddc7e4bd36f
|
|
|
|
|
SHA-256 of AdupsFotaReboot.odex
|
|
|
daa61ebfa17fee5fdb9021ddcf2c74d2059f70f2fbb3f530cfd43eb712329650
|
|
|
|
|
Command and Control Channel URL
|
|
|
http://rebootv5.adsunflower.com/ps/fetch.do
|
|
|
|
|
Primary Exfiltration URL
|
|
|
https://bigdata.adups.com/fota5/mobileupload.action
|
|
|
|
|
Secondary Exfiltration URL
|
|
|
https://push5.adups.com/dm/pushInterface.do
|
|
|
|
|
Server Location based on GeoIP2
|
|
|
Jiangmen, Guangdong, China, Asia and Beijing, China, Asia.
|
|
|
|
|
Capable of Text Messages Exfiltration
|
|
|
The application contains code that will exfiltrate the body and
number of text messages if triggered by a network command. The
network command is received from the following URL:
https://bigdata.adups.com/fota5/msgInter.action
|
|
|
|
|
|
|
|
|
|
|
|
|
Model
|
|
|
BLU Grand M
|
|
|
|
|
Date Tested
|
|
|
May 2017
|
|
|
|
|
Data Collected
|
|
|
Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC
Address, device serial number, list of installed applications, and
the list of applications used with timestamps.
|
|
|
|
|
Build Fingerprint
|
|
|
BLU/Grand_M/Grand_M:6.0/MRA58K/1481082286:user/release-keys
|
|
|
|
|
Build Date
|
|
|
Thu Dec 22 20:13:01 CST 2016
|
|
|
|
|
Exfiltration App
|
|
|
com.data.acquisition (version name = 3.1.0.310 and version code =
310)
|
|
|
|
|
App Location on Device
|
|
|
/system/app/Fire/Fire.apk and /system/app/Fire/oat/arm/Fire.odex
|
|
|
|
|
SHA-256 of Fire.apk
|
|
|
b7474ec86d9e7e60f4c6d4a6eb0aa368f713f3a78456e5dd234a1a9c3270ee07
|
|
|
|
|
SHA-256 of Fire.odex
|
|
|
2fb1b9f9c718014a19af3ad36943b6295821047dc819daa88cda91f77a542702
|
|
|
|
|
Primary Exfiltration URL
|
|
|
http://bigdata.advmob.cn/fire/mobileupload.do
|
|
|
|
|
Secondary Exfiltration URL
|
|
|
http://bigdata.advmob.cn/fire/activeUserInter.do
|
|
|
|
|
Server Location based on GeoIP2
|
|
|
Jiangmen, Guangdong, China, Asia
|
|
|
|
|
|
|
|
|
|
|
|
|
Model
|
|
|
BLU Life One X2
|
|
|
|
|
Date Tested
|
|
|
May 2017
|
|
|
|
|
Data Collected
|
|
|
Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC
Address, device serial number, list of installed applications, and
the list of applications used with timestamps.
|
|
|
|
|
Build Fingerprint
|
|
|
BLU/Life_One_X2/Life_One_X2:6.0.1/MMB29M/1477622278:user/release-keys
|
|
|
|
|
Build Date
|
|
|
Fri Oct 28 10:37:58 CST 2016
|
|
|
|
|
Exfiltration App
|
|
|
com.data.acquisition (version name = 3.1.0.310 and version code =
310)
|
|
|
|
|
SHA-256 of Fire.apk
|
|
|
aae9eb662ecba4324c860af55c058164e2974cbd5e8ab16eaba7c58c2d2bbec7
|
|
|
|
|
SHA-256 of Fire.odex
|
|
|
4df9bd8f879dc199035fd22a35dacb24b1f9825fa6dee755bda913e74ab4e369
|
|
|
|
|
Primary Exfiltration URL
|
|
|
http://bigdata.adsunflower.com/fire/mobileupload.do
|
|
|
|
|
Secondary Exfiltration URL
|
|
|
http://bigdata.advmob.cn/fire/activeUserInter.do
|
|
|
|
|
Server Location based on GeoIP2
|
|
|
Jiangmen, Guangdong, China, Asia and Asia and Beijing, China, Asia
|
|
|
|
|
|
|
|
|
|
|
|
|
Model
|
|
|
BLU Advance 5.0
|
|
|
|
|
Date Tested
|
|
|
July 2017
|
|
|
|
|
Vulnerabilities
|
|
|
Command execution as the system user (com.adups.fota.sysoper) and
logging capabilities that can be used by third-party apps co-located
on the device due to an old version of MTKLogger
(com.mediatek.mtklogger). These vulnerabilities have been left
unaddressed since late 2016.
|
|
|
|
|
Data Collected
|
|
|
N/A
|
|
|
|
|
Build Fingerprint
|
|
|
BLU/BLU_Advance_5.0/BLU_Advance_5.0:5.1/LMY47I/1458805524:user/release-key
|
|
|
|
|
Build Date
|
|
|
Thu Mar 24 15:48:00 CST 2016
|
|
|
|
|
App Locations on Device
|
|
|
/system/app/AdupsFotaReboot/AdupsFotaReboot.apk and
/system/app/MTKLogger/MTKLogger.apk
|
|
|
|
|
SHA-256 of AdupsFotaReboot.apk
|
|
|
0ddd165222e999081b2fc0e5b479c4db17ac322838011108ba30be4b957db4fd
|
|
|
|
|
SHA-256 of MTKLogger.apk
|
|
|
6a8f0d8014629b5bd7f0203a001d1d44de3b3f4d0030d3f13990a7ed2feb271a
|
|
|
|
|
About Kryptowire
Kryptowire automatically tests and validates the security of mobile and
IoT firmware and applications to the highest government and industry
software assurance standards. Kryptowire was jumpstarted by the Defense
Advanced Research Projects Agency (DARPA) and the Department of Homeland
Security (DHS) in 2011, is based in Fairfax, Virginia, USA and has a
customer base ranging from government agencies to national cable TV
companies. For more information, visit www.kryptowire.com.
View source version on businesswire.com: http://www.businesswire.com/news/home/20170802006019/en/
[ Back To TMCnet.com's Homepage ]
|