ADUPS Android Malware Infects Barnes & Noble

ADUPS itself has advertised on its own website that it is capable of:

  • App push service

  • Device Data Mining

  • Unique package checking

  • Mobile advertising

Azzedine Benameur, director of research at Kryptowire, regards any device running ADUPS to be permanently compromised. An ADUPS-enabled device should come with a disclosure that "owners can expect zero privacy or control while using it. Minus the spyware, it's a great [device.]" The hostile capability of ADUPS can be enabled any time, and it will not be flagged as malware by any scanner since the device vendor installed it as a fully privileged OS component.

In this climate, it was quite a surprise to discover ADUPS FOTA ("Firmware Over The Air") files on the latest Nook from Barnes & Noble—the $49 BNTV450:

u0_a76@st16c7bnn:/ $ find /system 2> /dev/null | grep -i adups

It might be noted that the BNTV450 is a clear departure for Barnes & Noble from its past OMAP/Snapdragon designs. The budget tablet appears to have been contracted to Shenzhen Jingwah Information Technology Co., Ltd., since erstwhile-partner Samsung does not manufacture Android devices in this price range. The latest tablet runs a processor from MediaTek, the MT8163 ARM Cortex-A53. MediaTek has been directly involved with ADUPS in evading Google security:

[BLU] phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google's checks. Nice one MediaTek!

MediaTek has a history of protecting malware from Google security scans and is regarded as the worst chipset vendor in the Android community. Since the BLU data theft, MediaTek devices from several OEMs in the Russian market were caught with the preinstalled "Android.DownLoader.473.origin" malware. In the last 30 days, MediaTek's reputation has fallen calamitously.

It should also be noted that BLU devices infected with ADUPS had a "Wireless Update" entry in the Application menu that could disable the ADUPS agent. There is no such functionality in the BNTV450—ADUPS cannot be quelled by the user on this device.

Barnes & Noble should have realized that these were not trustworthy hardware and software partners.

A CVE for Good Measure

It has been nearly a year since NowSecure last updated the Vulnerability Test Suite (VTS) for Android. Google has taken an unreasonably dim view of VTS and banned it from the Play store, but the scanner is invaluable for assessing the security status of an Android device.

Suprisingly, while the BNTV450 runs Android 6 Marshmallow (patch level September 5, 2016), VTS reports this device as vulnerable to CVE-2015-6616. It is extraordinary that a Mediaserver vulnerability of such age is found in a relatively new software release. The Stagefright/Mediaserver vulnerabilities were first revealed by Zimperium in July 2015, and their severity should have warranted greater attention.

For reference, the Moto G XT1028 with the latest software release runs Android 5.1 Lollipop and received its final updates in Q1 2016. VTS finds no vulnerabilities on this handset (although several critical vulnerabilities have been found since for which VTS does not probe, the most notible of which is Dirty Cow).


Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.