Jump to content
Noob

AdUps software installed for OTA?

Recommended Posts

I just noticed the following files in "/system" directory:

/system/app/AdupsPrivacyPolicy
/system/app/AdupsPrivacyPolicy/AdupsPrivacyPolicy.apk
/system/app/AdupsPrivacyPolicy/oat
/system/app/AdupsPrivacyPolicy/oat/arm64
/system/app/AdupsPrivacyPolicy/oat/arm64/AdupsPrivacyPolicy.odex
/system/app/AdupsPrivacyPolicy/oat/arm64/AdupsPrivacyPolicy.vdex

From articles like this it seems like this is for OTA updates but the company's app has a bad reputation for being spyware, sending personal data to China. From the article I linked I'm guessing this is the reason why it's being used instead of Google's service:

Quote

AdUps provides a firmware updater that these phones use instead of Google’s official updater, mostly because these small companies who sell phones at $50 to $100 a pop can’t afford to go through Google’s certification process.

If remove this app, I presume I no longer get OTA updates.  Will it be available in other ways?

EDIT: I should add that the most recent articles on this were from about 2 years old.  Not sure what the current state of this is, but I don't want to take any chances.

Edited by Noob
  • Thanks 2
  • Confused 2

Share this post


Link to post
Share on other sites
20 minutes ago, Noob said:

AdUps provides a firmware updater that these phones use instead of Google’s official updater, mostly because these small companies who sell phones at $50 to $100 a pop can’t afford to go through Google’s certification process.

I think they have just went through this Google's certification process (someone has linked Pro1 became part of the list in official supported phones).

Others said (who have received their phones) initially the phone was stated as an unsupported device maybe in a thread related to Google Play.

So if the above are true, I assume this may be a temporary solution to be able to update phones remotely and when Google certification is done (which has happened now) they can release an update and switch to the official updater.

This is my idea but I think it is possible. I don't know if there is a spyware associated or not...

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites

From what I've found on the internet, this is made by a company who was caught a few years ago on a serious case of spying on its users, they defended themselves by saying those spying functionalities where enabled "by mistake" (you know, they likely typo'd all that spying stuff into their software, it happens...) and that next versions do not do that spying stuff.

It's software that intended to automatically update over the air. The fact that the company survived this blunder baffles me. That's basically a remote root access to your device for update & software management purposes, right? How can you even consider giving it to a company that has been proven to spy on its users?

My question would not be "can it be removed or disabled?", but rather "why was this here in the first place, and why should I trust anything else you put on the device after that?"

Edited by Raksura

Share this post


Link to post
Share on other sites
2 minutes ago, Raksura said:

How can you even consider giving it to a company that has been proven to spy on its users?

Google also spies on people... IIRC the drama with adups was that it was not just spying, it was sending peoples data unencrypted.

  • Like 3

Share this post


Link to post
Share on other sites

 

13 minutes ago, Raksura said:

My question would not be "can it be removed or disabled?", but rather "why was this here in the first place, and why should I trust anything else you put on the device after that?"

If they had to wait for Google certification then decided to switch temporarily to another method to be able to release the manufacturing process of first batch to avoid further delay may can be an explanation of the delayed production (software is part of the process so manufacturing can not be fully finalized before a solution for that).

My speculation is they will probable remove it by next OTA as they have certification of Google now so they may not need this one anymore.
This is only my thoughts if I understand well what I read.

Edited by VaZso

Share this post


Link to post
Share on other sites

From further reading, it seems Adups actually continued to spy after being caught, they just did a bit more discretely. They should probably change their keyboards, those typos are quite problematic.

27 minutes ago, netman said:

Google also spies on people...

I really hope there's a better defense to installing spywares/backdoors than this.

20 minutes ago, VaZso said:

If they had to wait for Google certification then decided to switch temporarily to another method to be able to release the manufacturing process of first batch to avoid further delay may can be an explanation of the delayed production (software is part of the process so manufacturing can not be fully finalized before a solution for that).

I am not familiar with Android, is FOTA support required, or is it just a convenience to not have to plug your device into a computer so that it updates?

Edited by Raksura

Share this post


Link to post
Share on other sites
1 minute ago, VaZso said:

My speculation is they will probable remove it by next OTA as they have certification of Google now so they may not need this one anymore.

This makes sense and I am betting on the same horse.

18 minutes ago, Raksura said:

My question would not be "can it be removed or disabled?", but rather "why was this here in the first place, and why should I trust anything else you put on the device after that?"

I'd also definitely rather not see Adups on my phone, but it may be a stopgap solution to get to the next OTA update as stated, and it isn't really clear whether Adups does espionage or whether that just happens via the Adups software on certain phones and not others (what I can find to read about it is blur and confusion). To be safe completely one would want all the software on the phone to be audited and compiled by a trusted entity but that is alas not practical in the current world... Don't know if there exists a middle ground where one can really actually trust software from third parties xD. It's somewhat worrying though, the practical solutions as I see them are remove adups, run Lineage, or live dangerously :D.

  • Like 1

Share this post


Link to post
Share on other sites
15 minutes ago, VaZso said:

My speculation is they will probable remove it by next OTA as they have certification of Google now so they may not need this one anymore.

This is only my thoughts if I understand well what I read.

Hope fxtec will replace that with official Google updater. 

I would really appreciate fxtec to release all updates as flashable image so ota can be turned off completely. 

 

  • Like 3

Share this post


Link to post
Share on other sites
1 minute ago, Raksura said:

I really hope there's a better defense to installing spywares than this.

Calling it a defense is a stretch but it is what crossed my mind, I also hope for a better explanation 😕.

2 minutes ago, Raksura said:

I am not familiar with Android, is FOTA support required, or is it just a convenience to not have to plug your device into a computer so that it updates?

It is a convenience, you can update from a PC without FOTA. I'm not 100% sure it's possible to update via USB without erasing userdata though (but I do think so).

Share this post


Link to post
Share on other sites
1 minute ago, netman said:

It is a convenience, you can update from a PC without FOTA. I'm not 100% sure it's possible to update via USB without erasing userdata though (but I do think so).

I'm not sure if USB Updates are in a different format that OTA but I did updates via recovery many times without any loss of userdata.

  • Thanks 3

Share this post


Link to post
Share on other sites

I'm super disappointing if this is really being used. Installing secret spyware feels like a slap in the face to paying customers.

Share this post


Link to post
Share on other sites
13 minutes ago, abielins said:

I'm super disappointing if this is really being used. Installing secret spyware feels like a slap in the face to paying customers.

This is not secret spyware. This is our OTA server partner. Also GDPR comply. 

Adups has been used by multiple OEMs and their record is reliable. 

I don't know why you called those spyware but if there is any problem you found or issues discovered, we can certainly resolve together with them. But if you think in that bad way simply because you don't know or don't heard about it that is not very responsible accusation and it did hurt our team. If you don't trust us DON'T buy it!

  • Thanks 4
  • Confused 2

Share this post


Link to post
Share on other sites
2 minutes ago, Waxberry said:

I don't know why you called those spyware but if there is any problem you found or issues discovered, we can certainly resolve together with them. But if you think in that bad way simply because you don't know or don't heard about it that is not very responsible accusation and it did hurt our team. If you don't trust us DON'T buy it!

I believe the reason for panic is here explained https://www.blackhat.com/docs/us-17/wednesday/us-17-Johnson-All-Your-SMS-&-Contacts-Belong-To-Adups-&-Others.pdf

  • Thanks 2
  • Sad 1

Share this post


Link to post
Share on other sites
1 minute ago, Waxberry said:

This is not secret spyware. This is our OTA server partner. Also GDPR comply. 

Adups has been used by multiple OEMs and their record is reliable. 

I don't know why you called those spyware but if there is any problem you found or issues discovered, we can certainly resolve together with them. But if you think in that bad way simply because you don't know or don't heard about it that is not very responsible accusation and it did hurt our team. If you don't trust us DON'T buy it!

I did trust you!

I'm being told that Adups might now be spyware though. Is it transmitting any personally identifiable information? Does it copy SMS messages from the phone? Can we remove it and update the system manually instead of over the air?

Share this post


Link to post
Share on other sites
1 minute ago, Waxberry said:

This is not secret spyware. This is our OTA server partner. Also GDPR comply. 

Adups has been used by multiple OEMs and their record is reliable. 

I don't know why you called those spyware but if there is any problem you found or issues discovered, we can certainly resolve together with them. But if you think in that bad way simply because you don't know or don't heard about it that is not very responsible accusation and it did hurt our team. If you don't trust us DON'T buy it!

I'd be interested to know which other OEMs have used it. Naming names might lend credibility by association.

Certainly some people are very quick to cry wolf, and raise the ire of the villagers, without good reason. After the CarrierIQ debacle, I can understand why people could be a little nervous, but to imply the accusation that THE SINGLE MOST OPEN PHONE COMPANY EVER is putting spyware on their devices is certainly unhelpful.

  • Like 2

Share this post


Link to post
Share on other sites
Just now, abielins said:

I did trust you!

I'm being told that Adups might now be spyware though. Is it transmitting any personally identifiable information? Does it copy SMS messages from the phone? Can we remove it and update the system manually instead of over the air?

As OEM perspective, there is different way working with FOTA suppliers and there is an option paying for no tracking and tracing. 

Adups has changed their service since last year and there should not be things under the table. If anyone has found any we will definitely raise the issue to them as this is not what we intended and not as on agreement.

  • Thanks 8

Share this post


Link to post
Share on other sites
5 minutes ago, netman said:

That is old, but worrying news. That the company is still in business indicates that the implications may have been overblown, or the issue quickly remedied. Huawei and ZTE were partner names I recognized. It looks like most of their partners are Chinese.

Share this post


Link to post
Share on other sites
2 minutes ago, Waxberry said:

As OEM perspective, there is different way working with FOTA suppliers and there is an option paying for no tracking and tracing. 

Adups has changed their service since last year and there should not be things under the table. If anyone has found any we will definitely raise the issue to them as this is not what we intended and not as on agreement.

Thank you for the quick replies and communication. I appreciate it!

  • Like 3

Share this post


Link to post
Share on other sites
32 minutes ago, Waxberry said:

Adups has been used by multiple OEMs and their record is reliable. 

The original report made to the US government for Adups being a spyware is available here. There should be another report that showed how they continued, from what I can tell by skimming articles.

... And you actually made my point moot while I was writing my post by telling us that yes, it's a spyware if either you or they choose it to be. On an over-the-air updating software. Sorry, is that not really blatant malware? Sure, there's a backdoor, don't worry, we won't use it (although we did before), we promise.

Edited by Raksura

Share this post


Link to post
Share on other sites
1 minute ago, silversolver said:

That is old, but worrying news. That the company is still in business indicates that the implications may have been overblown, or the issue quickly remedied.

You can also fairly easily find that it is no longer as dramatic as described in that pdf on the web, and what Waxberry says about paying for no tracking also makes sense. Adups certainly has a bad reputation though.

  • Like 1

Share this post


Link to post
Share on other sites
4 minutes ago, Raksura said:

Sorry, is that not really blatant malware?

It has to be said that the affected phones (that I can find mention of) mostly targetted markets where there are no such laws like GDPR and whatever privacy laws the US has (as far as I know).

Edited by netman
clarification
  • Like 2

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

Terms