FAIRFAX, Va.--(BUSINESS WIRE)--After our initial findings about mobile device data transmission in November 2016, Kryptowire analyzed different mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties. As part of this effort, we presented our findings in the briefings section of Black Hat USA 2017. We decided to provide more technical information to clarify press reports and to help others identify additional devices that might be affected. We stand by our findings because we have clear forensic evidence, both in terms of code and in terms of network traces, to support them.
We can provide additional information to any interested parties upon request.
Manufacturers that believe their devices may be affected can contact oem@kryptowire.com for additional information.
Consumers that believe their devices may be affected can refer to the manufacturer warranty or retailer terms of purchase for more information.
| Model | Cubot X16S | ||
| Date Tested | May 2017 | ||
| Data Collected | Browser history, call log, text message metadata (phone number with timestamp), IMEI, IMSI, Wi-Fi MAC Address, list of installed applications, and the list of applications used with timestamps. | ||
| Build Fingerprint | CUBOT/full_hct6735_65u_m0/hct6735_65u_m0:6.0/MRA58K/1476178691:user/test-keys | ||
| Build Date |
October 11, 2016, 17:45:54 CST |
||
| Exfiltration Apps | com.adups.fota (version name = 5.2.1.1.002 and version code = 23) and com.adups.fota.sysoper (version name = 5.0.6 and version code = 506) | ||
| App Locations on Device | /system/app/AdupsFota/AdupsFota.apk and /system/app/AdupsFotaReboot/AdupsFotaReboot.apk and /system/app/AdupsFotaReboot/oat/arm64/AdupsFotaReboot.odex | ||
| SHA-256 of AdupsFota.apk | d66b45f4a132a39a98f7817ad37a687f161d2088fe41966debe9754747258972 | ||
|
SHA-256 of AdupsFotaReboot.apk |
66795104d929ccba30081cc21bffaa57cdbf0ed88fd053b89a174ddc7e4bd36f | ||
|
SHA-256 of AdupsFotaReboot.odex |
daa61ebfa17fee5fdb9021ddcf2c74d2059f70f2fbb3f530cfd43eb712329650 | ||
| Command and Control Channel URL | http://rebootv5.adsunflower.com/ps/fetch.do | ||
| Primary Exfiltration URL | https://bigdata.adups.com/fota5/mobileupload.action | ||
| Secondary Exfiltration URL | https://push5.adups.com/dm/pushInterface.do | ||
| Server Location based on GeoIP2 | Jiangmen, Guangdong, China, Asia and Beijing, China, Asia. | ||
| Capable of Text Messages Exfiltration | The application contains code that will exfiltrate the body and number of text messages if triggered by a network command. The network command is received from the following URL: https://bigdata.adups.com/fota5/msgInter.action | ||
| Model | BLU Grand M | ||
| Date Tested | May 2017 | ||
| Data Collected | Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, list of installed applications, and the list of applications used with timestamps. | ||
| Build Fingerprint | BLU/Grand_M/Grand_M:6.0/MRA58K/1481082286:user/release-keys | ||
| Build Date | Thu Dec 22 20:13:01 CST 2016 | ||
| Exfiltration App | com.data.acquisition (version name = 3.1.0.310 and version code = 310) | ||
| App Location on Device | /system/app/Fire/Fire.apk and /system/app/Fire/oat/arm/Fire.odex | ||
| SHA-256 of Fire.apk | b7474ec86d9e7e60f4c6d4a6eb0aa368f713f3a78456e5dd234a1a9c3270ee07 | ||
| SHA-256 of Fire.odex | 2fb1b9f9c718014a19af3ad36943b6295821047dc819daa88cda91f77a542702 | ||
| Primary Exfiltration URL | http://bigdata.advmob.cn/fire/mobileupload.do | ||
| Secondary Exfiltration URL | http://bigdata.advmob.cn/fire/activeUserInter.do | ||
| Server Location based on GeoIP2 | Jiangmen, Guangdong, China, Asia | ||
| Model | BLU Life One X2 | ||
| Date Tested | May 2017 | ||
| Data Collected | Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, list of installed applications, and the list of applications used with timestamps. | ||
| Build Fingerprint | BLU/Life_One_X2/Life_One_X2:6.0.1/MMB29M/1477622278:user/release-keys | ||
| Build Date | Fri Oct 28 10:37:58 CST 2016 | ||
| Exfiltration App | com.data.acquisition (version name = 3.1.0.310 and version code = 310) | ||
| SHA-256 of Fire.apk | aae9eb662ecba4324c860af55c058164e2974cbd5e8ab16eaba7c58c2d2bbec7 | ||
| SHA-256 of Fire.odex | 4df9bd8f879dc199035fd22a35dacb24b1f9825fa6dee755bda913e74ab4e369 | ||
| Primary Exfiltration URL | http://bigdata.adsunflower.com/fire/mobileupload.do | ||
|
Secondary Exfiltration URL |
http://bigdata.advmob.cn/fire/activeUserInter.do | ||
|
|
|||
|
Server Location based on GeoIP2 |
Jiangmen, Guangdong, China, Asia and Asia and Beijing, China, Asia | ||
| Model | BLU Advance 5.0 | ||
| Date Tested | July 2017 | ||
| Vulnerabilities | Command execution as the system user (com.adups.fota.sysoper) and logging capabilities that can be used by third-party apps co-located on the device due to an old version of MTKLogger (com.mediatek.mtklogger). These vulnerabilities have been left unaddressed since late 2016. | ||
| Data Collected | N/A | ||
| Build Fingerprint | BLU/BLU_Advance_5.0/BLU_Advance_5.0:5.1/LMY47I/1458805524:user/release-key | ||
| Build Date | Thu Mar 24 15:48:00 CST 2016 | ||
| App Locations on Device | /system/app/AdupsFotaReboot/AdupsFotaReboot.apk and /system/app/MTKLogger/MTKLogger.apk | ||
| SHA-256 of AdupsFotaReboot.apk | 0ddd165222e999081b2fc0e5b479c4db17ac322838011108ba30be4b957db4fd | ||
| SHA-256 of MTKLogger.apk | 6a8f0d8014629b5bd7f0203a001d1d44de3b3f4d0030d3f13990a7ed2feb271a | ||
About Kryptowire
Kryptowire automatically tests and validates the security of mobile and IoT firmware and applications to the highest government and industry software assurance standards. Kryptowire was jumpstarted by the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS) in 2011, is based in Fairfax, Virginia, USA and has a customer base ranging from government agencies to national cable TV companies. For more information, visit www.kryptowire.com.
