Mobile Menace Monday: Adups, old and new

A newly discovered malicious app is found on China-made mobile devices running the Android OS. This is a baked-in system app used to update the device’s firmware but is found to also steal personal information, among other things. A blog is recently published about this malware by Kryptowire.

Already we have had inquiries on whether we detect Adups or not. The answer to that is I believe we do. You see, the app in question, which goes by the package name of com.adups.fota, has a couple of variants. There is an older version seen around 2014 and a newer version that emerged mid-2016. This older version we detect and have done so since 2014. I can verify that this older version was indeed pre-installed on various Chinese mobile devices bought cheaply on online stores, mainly Amazon. I know this because ever since we started detecting this older version of com.adups.fota, we have received support tickets periodically about why we are detecting a system app that cannot be uninstall—I’ll get to how to address this later.

The new version of com.adups.fota sends the device’s IMEI number, model name, and OS version right away. The older version sends in addition the phone number, IMSI number, Serial Number of the device, and the wireless MAC address as soon as the app checks for firmware updates.

What really sets the older version of com.adups.fota apart is what is found in the unique receiver name, com.adups.fota.base.ServiceReceiver, and the corresponding code files under com.adups.fota.base. Within this code, a backdoor is opened. Thus, we simply call it Android/Backdoor.Agent. This code is not found in the newer versions of com.adups.fota.


It is unclear if what Kryptowire found was in the old version, which has been detected in the mobile anti-malware industry for years, or something new that was overlooked.

I will say this: the capabilities of the Adups app that Kryptowire found have strong resemblance to the behaviors of a malicious backdoor.

Disabling Adups

As stated above, if com.adups.fota is found on your device, it cannot be uninstalled since it is a system app. However, you can disable the app. Simply go into Settings > Apps, find the Adups app (most likely listed as System Update or Wireless Update) to open up its settings. From the Apps settings, you can disable it via clicking the Disable button. Unfortunately, this is the best users can do without rooting the device and/or re-imaging it, which is not something we recommend. But, hey, if you only paid $50 for it and are willing bear full responsibility—we’ll leave the option up to you.

Nathan Collier


April 30, 2012 – Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware…

April 24, 2012 – The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:…

May 7, 2012 – From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these…

May 14, 2012 – The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.”  In response to this we would like to…

June 1, 2012 – The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”.  You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)…

Source: Malwarebytes Labs @ November 28, 2016 at 09:27AM