UPDATE

LAS VEGAS—Shanghai Adups Technology Co. was roundly criticized Wednesday during a Black Hat session for continuing to use spyware called Adups on at least two Android handset makers’ phones. Researchers said the company was still collecting personal identifiable information without user consent despite coming under fire for the practice last year.

Ryan Johnson, research engineer and cofounder of Kryptowire, who was part of the original team that found the spyware, told attendees Adups was still sending user data back to the company’s Chinese-based servers as recently as May.

Last year, Kryptowire reported that popular low-cost Miami-based phone manufacturer Blu Products was using Adups on several of its phones, surreptitiously collecting user data from Blu handset models R1 HD and Life One X2.

The data included owners’ full-body of text messages, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity, serial number, Media Access Control address, and the International Mobile Equipment Identity.

Adups claims on its website 700 million devices, including cars and other connected devices, use its software.

“At the time when I found it, they were getting all this stuff—text messages, call log, GPS location—then they rolled that back,” Johnson said. “But in May, I found that Adups was still collecting PII.”

That was despite efforts by Google and Blu who worked with Adups last year to limit data collected and exfiltrated from phones.

When confronted in November 2016, Shanghai Adups Technology said the data collection was a mistake, according to Johnson’s correspondence with the company.

In a statement to Threatpost Shanghai Adups Technology stated:

“Those issues from 2016 have been solved. In Nov. 2016, a new version has been submitted and tested by the third-party security institutions, including Kryptowire, Google and AFLS Lab. It has been pushed to our official website and partners through various channels and to the users immediately. Since November 2016, all versions of FOTA were submitted to Google for certification. We only sent completely safe and reliable versions to our customers.”

The company claims the Kryptowire research is inaccurate.

Kryptowire maintains that in November Shanghai Adups Technology significantly scaled back the amount of data Adups collected from users, however is still collecting data that it shouldn’t on some Blu model phones. On the Blu’s Grand M model phone, Johnson said, Adups is still collecting cell tower IDs, list of installed applications, the user’s International Mobile Subscriber Identity and SIM serial number.

Kryptowire researchers also said a second Chinese handset manufacturer Cubot is also continuing to use the Adups software. On Cubot X16S model phones, Adups is also collecting cell tower IDs, list of installed applications, the user’s International Mobile Subscriber Identity and SIM serial number in addition to mobile browser history.

Cubot phones are popular in Europe, Africa, South America and Asia. Blu Product phones are widely sold in the United States at retail locations Best Buy and Walmart. According Johnson, Blu phones are the No. 1 unlocked phone sold via Amazon.

“There is no legitimate reason for Adups to be tracking user browser histories, never mind all the other data,” Johnson said.

In both cases data is sent back to Adups servers. According to Johnson, who tested the Cubot X16S’s software on Monday, Adups has now stopped collecting and sending data back to servers.

Still, Johnson pointed out with Shanghai Adups Technology retains the ability to execute commands on millions of phones with its software. “If it wanted, it could install apps, take screenshots or wipe handsets without needing ask for the user’s permission,” he said.

(This story was updated with a response from Adups Technology on 7/27 at 2pm ET)

Categories: Black Hat, Mobile Security, Privacy