New Chinese Backdoor Discovered in Android Devices

In the December 22, 2016 edition of the NJCCIC Weekly Bulletin, we alerted members to a Chinese backdoor that had been discovered embedded in the Adups firmware installed on over 700 million Android-powered devices. After device manufacturers and retailers began refusing to sell the infected devices, Adups pushed a non-malicious version of the firmware to those affected. Recently, however, Malwarebytes researchers discovered a lingering malicious pre-installed Adups component within the firmware of Android devices that obtains system level privileges and can “install and/or update apps without a user’s knowledge or consent.” This component is included with firmware package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears on the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk. These cannot be removed from affected devices and FWUpgradeProvider cannot be disabled, although Malwarebytes does list a possible multi-step solution. It is important to note that FWUpgradeProvider is currently categorized by antivirus vendors as a “Potentially Unwanted Program” (PUP) or “Riskware” as it is capable of installing malicious data-stealing applications but is not capable of stealing data itself. The NJCCIC recommends all Android device users review the Malwarebytes report and determine whether or not their devices are affected. If so, users are encouraged to install a reputable antivirus application to help detect future instances of malicious file installation or consider discontinuing the use of these devices.