Kryptowire Provides Technical Details
on Black Hat 2017 Presentation:
Observed ADUPS Data Collection & Data Transmission

Fairfax, VA
Wednesday August 2, 2017

After our initial findings about mobile device data transmission in November 2016, Kryptowire analyzed different mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties. As part of this effort, we presented our findings in the briefings section of Black Hat 2017. We decided to provide more technical information to clarify press reports and to help others identify additional devices that might be affected. We stand by our findings because we have clear forensic evidence, both in terms of code and in terms of network traces, to support them.

We can provide additional information to any interested parties upon request.

Manufacturers that believe their devices may be affected can contact [email protected] for additional information.

Consumers that believe their devices may be affected can refer to the manufacturer warranty or retailer terms of purchase for more information.


Model Cubot X16S
Date Tested May 2017
Data Collected Browser history, call log, text message metadata (phone number with timestamp), IMEI, IMSI,
Wi-Fi MAC Address, list of installed applications, and the list of applications used with timestamps.

Build Fingerprint CUBOT/full_hct6735_65u_m0/hct6735_65u_m0:6.0/MRA58K/1476178691:user/test-keys
Build Date 2016年 10月 11日 星期二 17:45:54 CST (October 11, 2016)
Exfiltration Apps com.adups.fota (version name = 5.2.1.1.002 and version code = 23) and com.adups.fota.sysoper (version name = 5.0.6 and version code = 506)
App Locations
on Device
/system/app/AdupsFota/AdupsFota.apk and /system/app/AdupsFotaReboot/AdupsFotaReboot.apk and /system/app/AdupsFotaReboot/oat/arm64/AdupsFotaReboot.odex
SHA-256 of AdupsFota.apk
d66b45f4a132a39a98f7817ad37a687f161d2088fe41966debe9754747258972
SHA-256 of AdupsFotaReboot.apk
66795104d929ccba30081cc21bffaa57cdbf0ed88fd053b89a174ddc7e4bd36f
SHA-256 of AdupsFotaReboot.odex
daa61ebfa17fee5fdb9021ddcf2c74d2059f70f2fbb3f530cfd43eb712329650
Command and
Control Channel URL

http://rebootv5.adsunflower.com/ps/fetch.do
Primary Exfiltration URL https://bigdata.adups.com/fota5/mobileupload.action
Secondary Exfiltration URL https://push5.adups.com/dm/pushInterface.do
Server Location
based on GeoIP2

Jiangmen, Guangdong, China, Asia and Beijing, China, Asia.
Capable of Text Messages Exfiltration The application contains code that will exfiltrate the body and number of text messages if triggered by a network command. The network command is received from the following URL: https://bigdata.adups.com/fota5/msgInter.action


Model BLU Grand M
Date Tested May 2017
Data Collected Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number,
list of installed applications, and the list of applications used with timestamps.
Build Fingerprint BLU/Grand_M/Grand_M:6.0/MRA58K/1481082286:user/release-keys
Build Date Thu Dec 22 20:13:01 CST 2016
Exfiltration App com.data.acquisition (version name = 3.1.0.310 and version code = 310)
App Location
on Device

/system/app/Fire/Fire.apk  and /system/app/Fire/oat/arm/Fire.odex
SHA-256 of Fire.apk b7474ec86d9e7e60f4c6d4a6eb0aa368f713f3a78456e5dd234a1a9c3270ee07
SHA-256 of Fire.odex 2fb1b9f9c718014a19af3ad36943b6295821047dc819daa88cda91f77a542702
Primary Exfiltration URL http://bigdata.advmob.cn/fire/mobileupload.do
Secondary Exfiltration URL http://bigdata.advmob.cn/fire/activeUserInter.do
Server Location
based on GeoIP2

Jiangmen, Guangdong, China, Asia


Model BLU Life One X2
Date Tested May 2017
Data Collected Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number,
list of installed applications, and the list of applications used with timestamps.
Build Fingerprint BLU/Life_One_X2/Life_One_X2:6.0.1/MMB29M/1477622278:user/release-keys
Build Date Fri Oct 28 10:37:58 CST 2016
Exfiltration App com.data.acquisition (version name = 3.1.0.310 and version code = 310)
SHA-256 of Fire.apk aae9eb662ecba4324c860af55c058164e2974cbd5e8ab16eaba7c58c2d2bbec7
SHA-256 of Fire.odex 4df9bd8f879dc199035fd22a35dacb24b1f9825fa6dee755bda913e74ab4e369
Primary Exfiltration URL http://bigdata.adsunflower.com/fire/mobileupload.do
Secondary Exfiltration URL http://bigdata.advmob.cn/fire/activeUserInter.do
Server Location
based on GeoIP2

Jiangmen, Guangdong, China, Asia and Asia and Beijing, China, Asia


Model BLU Advance 5.0
Date Tested July 2017
Vulnerabilities Command execution as the system user (com.adups.fota.sysoper) and logging capabilities that can be used by third-party apps co-located on the device due to an old version of MTKLogger (com.mediatek.mtklogger). These vulnerabilities have been left unaddressed since late 2016.

Data Collected N/A
Build Fingerprint BLU/BLU_Advance_5.0/BLU_Advance_5.0:5.1/LMY47I/1458805524:user/release-key
Build Date Thu Mar 24 15:48:00 CST 2016
App Locations
on Device
/system/app/AdupsFotaReboot/AdupsFotaReboot.apk  and /system/app/MTKLogger/MTKLogger.apk
SHA-256 of AdupsFotaReboot.apk
0ddd165222e999081b2fc0e5b479c4db17ac322838011108ba30be4b957db4fd
SHA-256 of MTKLogger.apk
6a8f0d8014629b5bd7f0203a001d1d44de3b3f4d0030d3f13990a7ed2feb271a



About Kryptowire

Kryptowire was jumpstarted by the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS S&T). Kryptowire provides mobile application security analysis tools, anti-piracy technologies, mobile app marketplace security analytics, and Enterprise Mobility Management (EMM) solutions. Kryptowire was founded in 2011, is based in Fairfax, Virginia, and has a customer base ranging from government agencies to national cable TV companies.