After our initial findings about mobile device data transmission in November 2016, Kryptowire analyzed different mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties. As part of this effort, we presented our findings in the briefings section of Black Hat 2017. We decided to provide more technical information to clarify press reports and to help others identify additional devices that might be affected. We stand by our findings because we have clear forensic evidence, both in terms of code and in terms of network traces, to support them.

We can provide additional information to any interested parties upon request.

Manufacturers that believe their devices may be affected can contact [email protected] for additional information.

Consumers that believe their devices may be affected can refer to the manufacturer warranty or retailer terms of purchase for more information.


ModelCubot X16S
Date TestedMay 2017
Data CollectedBrowser history, call log, text message metadata (phone number with timestamp), IMEI, IMSI,
Wi-Fi MAC Address, list of installed applications, and the list of applications used with timestamps.
Build FingerprintCUBOT/full_hct6735_65u_m0/hct6735_65u_m0:6.0/MRA58K/1476178691:user/test-keys
Build Date2016年 10月 11日 星期二 17:45:54 CST (October 11, 2016)
Exfiltration Appscom.adups.fota (version name = 5.2.1.1.002 and version code = 23) and com.adups.fota.sysoper (version name = 5.0.6 and version code = 506)
App Locations
on Device
/system/app/AdupsFota/AdupsFota.apk and /system/app/AdupsFotaReboot/AdupsFotaReboot.apk and /system/app/AdupsFotaReboot/oat/arm64/AdupsFotaReboot.odex
SHA-256 of AdupsFota.apkd66b45f4a132a39a98f7817ad37a687f161d2088fe41966debe9754747258972
SHA-256 of AdupsFotaReboot.apk66795104d929ccba30081cc21bffaa57cdbf0ed88fd053b89a174ddc7e4bd36f
SHA-256 of AdupsFotaReboot.odexdaa61ebfa17fee5fdb9021ddcf2c74d2059f70f2fbb3f530cfd43eb712329650
Command and
Control Channel URL
http://rebootv5.adsunflower.com/ps/fetch.do
Primary Exfiltration URLhttps://bigdata.adups.com/fota5/mobileupload.action
Secondary Exfiltration URLhttps://push5.adups.com/dm/pushInterface.do
Server Location
based on GeoIP2
Jiangmen, Guangdong, China, Asia and Beijing, China, Asia.
Capable of Text Messages ExfiltrationThe application contains code that will exfiltrate the body and number of text messages if triggered by a network command. The network command is received from the following URL: https://bigdata.adups.com/fota5/msgInter.action

ModelBLU Grand M
Date TestedMay 2017
Data CollectedCell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number,
list of installed applications, and the list of applications used with timestamps.
Build FingerprintBLU/Grand_M/Grand_M:6.0/MRA58K/1481082286:user/release-keys
Build DateThu Dec 22 20:13:01 CST 2016
Exfiltration Appcom.data.acquisition (version name = 3.1.0.310 and version code = 310)
App Location
on Device
/system/app/Fire/Fire.apk  and /system/app/Fire/oat/arm/Fire.odex
SHA-256 of Fire.apkb7474ec86d9e7e60f4c6d4a6eb0aa368f713f3a78456e5dd234a1a9c3270ee07
SHA-256 of Fire.odex2fb1b9f9c718014a19af3ad36943b6295821047dc819daa88cda91f77a542702
Primary Exfiltration URLhttp://bigdata.advmob.cn/fire/mobileupload.do
Secondary Exfiltration URLhttp://bigdata.advmob.cn/fire/activeUserInter.do
Server Location
based on GeoIP2
Jiangmen, Guangdong, China, Asia

ModelBLU Life One X2
Date TestedMay 2017
Data CollectedCell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number,
list of installed applications, and the list of applications used with timestamps.
Build FingerprintBLU/Life_One_X2/Life_One_X2:6.0.1/MMB29M/1477622278:user/release-keys
Build DateFri Oct 28 10:37:58 CST 2016
Exfiltration Appcom.data.acquisition (version name = 3.1.0.310 and version code = 310)
SHA-256 of Fire.apkaae9eb662ecba4324c860af55c058164e2974cbd5e8ab16eaba7c58c2d2bbec7
SHA-256 of Fire.odex4df9bd8f879dc199035fd22a35dacb24b1f9825fa6dee755bda913e74ab4e369
Primary Exfiltration URLhttp://bigdata.adsunflower.com/fire/mobileupload.do
Secondary Exfiltration URLhttp://bigdata.advmob.cn/fire/activeUserInter.do
Server Location
based on GeoIP2
Jiangmen, Guangdong, China, Asia and Asia and Beijing, China, Asia

ModelBLU Advance 5.0
Date TestedJuly 2017
VulnerabilitiesCommand execution as the system user (com.adups.fota.sysoper) and logging capabilities that can be used by third-party apps co-located on the device due to an old version of MTKLogger (com.mediatek.mtklogger). These vulnerabilities have been left unaddressed since late 2016.
Data CollectedN/A
Build FingerprintBLU/BLU_Advance_5.0/BLU_Advance_5.0:5.1/LMY47I/1458805524:user/release-key
Build DateThu Mar 24 15:48:00 CST 2016
App Locations
on Device
/system/app/AdupsFotaReboot/AdupsFotaReboot.apk  and /system/app/MTKLogger/MTKLogger.apk
SHA-256 of AdupsFotaReboot.apk0ddd165222e999081b2fc0e5b479c4db17ac322838011108ba30be4b957db4fd
SHA-256 of MTKLogger.apk6a8f0d8014629b5bd7f0203a001d1d44de3b3f4d0030d3f13990a7ed2feb271a