Android spyware secretly collecting user data was found preinstalled on a budget smartphone sold through various retailers and although the company responsible claimed it was standard data collection, one expert said this software went overboard.

Researchers at Kryptowire, a mobile security firm jumpstarted by the Defense Advanced Research Projects Agency and the Department of Homeland Security, based in Fairfax, Va., said they first came across the mobile spyware on a $ 59 BLU R1 HD smartphone bought from Amazon. The Android spyware "collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent" under the guise of offering better spam filtering.

"These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers and unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. The firmware could target specific users and text messages matching remotely defined keywords," Kryptowire wrote in a blog post. "The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity there are less invasive ways to provide spam filtering.

"Filtering out spam messages and calls is a nice to have feature, but there are other technical approaches towards doing it besides forwarding full text messages and contact details, infringing on users privacy," Arsene said. "That's why metadata and message fingerprinting technologies exist, so that users' personal data is never sent as-it-is, protecting their privacy."

The company behind this firmware and to whom the user data was sent was Shanghai ADUPS Technology Co. Ltd., commonly known as ADUPS, which provides professional firmware over-the-air (FOTA) update services for smartphones. According to the ADUPS website, the company has 700 million active users wordwide.

ADUPS said BLU objected to the Android spyware collecting data without user consent in June 2016 and "ADUPS took immediate measures to disable that functionality on BLU phones." There was no comment on the use of this firmware on other Android devices, but ADUPS assured customers that "no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a BLU phone during that short period was deleted."

Arsene said the speed of the fix was commendable.

"From a technical perspective, declaring to have disabled the feature and removed all collected data in such a short time is commendable," Arsene said. "This means they knew what the problem was and how to quickly fix it."

ADUPS said in a statement that it takes "user privacy very seriously" and claimed the software in question was designed to help eliminate spam.

"In response to user demand to screen out junk texts and calls from advertisers, our client asked ADUPS to provide a way to flag junk texts and calls for users. We developed a solution for ADUPS FOTA application," ADUPS wrote in a blog post. "The customized version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience. ADUPS FOTA application flags texts containing certain language associated with junk texts and flags numbers associated with junk calls and not in a user's contacts."

Arsene said data collection in general is not uncommon and can help to accurately deliver updates to specific devices in case security issues arise."

"However, users should always be notified when such information is being collected, as some might want to opt out and dismiss such features," Arsene said. "It's mandatory for any software provider to inform its customers in regards to what type if information they're collecting -- whether for marketing, commercial or for offering various functionalities. The fact that such a disclaimer was missing is a big deal as it borders [on] espionage malware practices."

Next Steps

Learn more about China targeting Hong Kong protestors with Android spyware.

Find out about Android spyware possibly linked to the Hacking Team.

Get info on the danger of dormant Android permissions. 

SearchSecurity: Security Wire Daily News

Acting on a piece of malware provided by a victim, researchers discovered a new type of Android spyware capable of recording audio and video, turning GPS on or off, and stealing or modifying data on the phone.

While the researchers at first believed the malware originated from the notorious Italian surveillance software vendor Hacking Team, the source of the new Android spyware software may be another Italian company that provides spyware to government agencies.

"There really isn't much going on outside of the run-of-the-mill, boring, commercial spyware junk," according to researchers at the Oakland, Calif. based security firm Red Naga, LLC. They found the suspicious software appeared to be "an app requesting almost every permission possible, claims to be an Android update, and purports to have something to do with Vodaphone APNs [access point names]."

Red Naga's researcher Tim Strazzere wrote he suspected Hacking Team was the source for the spyware, citing two IP addresses that had previously been linked to Hacking Team as well as the use of Italian language in the malware code. However, Motherboard reported the source was more likely Raxir srl, a Naples, Italy-based intelligence software startup, in large part because "Raxir" is listed as the organization linked to the certificate.

Red Naga wrote the Android spyware "has the normal abilities of most spyware," including code to automatically remove itself from the launcher after it runs once, persistence on the victim device, ability to go silent when the victim uses the device, surreptitiously record audio and video and execute further exploits downloaded through the command and control network. The spyware also turns on virtually all permissions, giving the attacker access to call logs, contacts, network connections, messaging and more.

While the Red Naga researchers were provided the malware sample by a targeted victim employed by an unnamed government, who asked to remain anonymous, they did find evidence that the Android spyware software has been used elsewhere. "While we cannot release these files due to an agreement with our contact and an ongoing criminal investigation, we have been able to find several similar files in the wild through other public feeds which closely resemble the sample we were provided. The functionality hardly changes between versions and the obfuscation is the same. Since these other samples are already publicly available, we feel comfortable talking about this threat."

Hacking Team last year suffered a major data breach in which attackers released a 400 GB trove of data that included internal documents, source code and zero-day vulnerabilities that the company used to spread its surveillance software. The breach shed light on how government agencies from numerous countries, including the United States, had purchased spyware and digital surveillance tools from Hacking Team. 

Next Steps

Find out more about the top five mobile spyware misconceptions.

Learn about how command and control servers control malware, remotely.

Read about how to remove malware that reinstalls itself from Android devices.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

A piece of Android spyware recently analyzed by researchers with the RedNaga Security team seemed to be yet another Hacking Team spying tool but, according to more recent revelations, another Italian company is its likely source.

Researcher Tim Strazzere, with help of his colleagues, analyzed the sample received practically directly from the target (who wished to remain anonymous), and discovered that the spyware:

  • Asks for practically every permission
  • Can hide itself from the launcher, ensure persistence, mute all audio on the device, turn the GPS on and off, take screenshots or record what can be seen on the screen, record video and audio, reply to or forward messages, lay low while the user is using the device, executed code, exfiltrate data, and so on.
  • Likely masquerades as an update for a Google service, as the target is shown phrases such as “Servizi Google” (Google Service) and “Aggiornamento effettuato con successo” (Successful Update).

What made him think that this might be the work of Hacking Team is the fact that the spyware contacts two IP address located in an address space used by previously known HackingTeam families.

The use of Italian in encrypted strings and SSL certificates is another circumstantial piece of evidence that seemed to point in that direction.

But two former Hacking Team employees and Citizen Lab researcher Bill Marczak believe that particular company was not involved in the creation of this malware.

The former analyzed the code and found it nothing like spyware samples developed by Hacking Team. The latter told Motherboard that the spyware’s infrastructure isn’t linked to Hacking Team’s – and he should know, as he’s been tracking it for a while.

But a mention in the SSL certificate used by one of the servers contains a string that might point to the right source: “Raxir”.


Raxir is the name of an Italian company, started in 2013 and housed at tech incubator “Citta’ Della Scienza” in Naples, Italy.

According to this description, the company develops software for investigations and intelligence gathering, its software can only be used by government and law enforcement agencies.

Currently, it is only being used by those entities in Italy, as well as by the Second University of Naples (“Seconda Università degli Studi di Napoli”), but the “company has ties with Germany, and would like to reach foreign markets, and especially emerging economies/countries.”

According to Marczak’s findings – a server whose digital certificate contains the string “ProcuraNapoliRaxirSrv” – it seems that Raxir’s products are being used by the Naples’ office of the prosecutor.

Both Hacking Team and Raxir did not answer Motherboard’s request for comment on the matter.

Help Net Security

A banking trojan targeting Android users is spreading through malicious ads as part of an ongoing campaign.

The scenario by which the malware spreads is all too familiar to long-suffering Windows fans, but may well come as an unpleasant shock to smartphone users.

Worse yet, Android users can get infected by the Svpeng Trojan simply by visiting mainstream websites, as researchers from Kaspersky Lab explain:

By simply viewing their favourite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q. There you are, minding your own business, reading the news and BOOM! – no additional clicks or following links required. And be careful – it’s still out there!

The malicious code is downloaded via the Google AdSense advertising network. The same tactic was used to spread the Svpeng Android banking trojan via the Meduza news portal last month.

Svpeng intercepts banking-related SMS messages as well as launching phishing Windows on compromised smartphones. In addition, Svpeng siphons off all manner of private information from infected smartphones, including call history, text and multimedia messages, browser bookmarks and contacts. ®

Sponsored: 2016 Cyberthreat defense report

The Register - Security