The old package that does exfiltrate still exists on the system image.
On the device, those two apps cannot be disabled by the user, unless you "root" the device and just delete them.Īdups has used their remote application (un)installation capabilities to update the app with one that does not exfiltrate PII on the BLU R1 HD. The exfiltration application logic can be put into any package and performed assuming the app has the permissions to get the user's PII. The vulnerability is not necessarily limited to the Adups-related packages, but we can only confirm seeing it in the two packages mentioned. We asked Kryptowire if the vulnerability was limited to devices with Adups-related packages preinstalled (,, etc.) and, if so, would disabling those packages solve the issue. However, upon reaching out to Kryptowire for more details about the report, we learned that this supposed fix might just be sweeping the larger issue under the rug. The Florida-based company issued a statement saying that the issue had been resolved following an update by Adups, whom altered the apps responsible ( and ) so that they would no longer gather and report any PII. The only US phones publicly known to be affected were entry-tier models made by device manufacturer BLU Products. These Android Phones Could Be Affected by Adups' Chinese Spyware Mobile security researchers at Kryptowire recently uncovered spyware preinstalled on hundreds of thousands of Android smartphones by FOTA provider Adups which was gathering personally identifiable information (PII) such as call logs, app usage data, and even the full contents of text messages and sending these to a third-party server-all without the users' knowledge.