{"id":10881,"date":"2017-12-18T09:10:27","date_gmt":"2017-12-18T17:10:27","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/18\/news-4653\/"},"modified":"2017-12-18T09:10:27","modified_gmt":"2017-12-18T17:10:27","slug":"news-4653","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/12\/18\/news-4653\/","title":{"rendered":"Mobile Menace Monday: upping the ante on Adups"},"content":{"rendered":"

Credit to Author: Nathan Collier| Date: Mon, 18 Dec 2017 16:00:00 +0000<\/strong><\/p>\n

Adups is back on our radar. The same China-based company caught\u00a0collecting an abundance of user data and creating a backdoor<\/a> on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android\/PUP.Riskware.Autoins.Fota.<\/p>\n

We thought they cleaned up their act<\/h3>\n

When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota.\u00a0<\/em>The new version was clean of wrongdoing, and we all went about on our collective our ways.<\/p>\n

However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper<\/em> and com.fw.upgrade.sysoper<\/em>, appears in the app list as UpgradeSys<\/em>, and has the filename FWUpgradeProvider.apk.<\/em><\/p>\n

\"\"<\/p>\n

They call it FWUpgradeProvider<\/h3>\n

An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider<\/em> does. “How?”\u00a0you may ask. Because it comes preinstalled on various devices<\/a>. Thus, by default it has system level privileges. Essentially, this allows it to install and\/or update apps without a user’s knowledge or consent.<\/p>\n

The trend of preinstalled PUP\/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider<\/em>, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.<\/p>\n

Cannot remove, cannot disable<\/h3>\n

Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android<\/a> walks you through how to disable a system app that it detects as PUP\/malware. No big deal, right? Well, here\u2019s the kicker. Recently, it was brought to our attention by many frustrated customers that\u00a0FWUpgradeProvider <\/em>cannot, I repeat, CANNOT<\/strong>, be disabled.<\/p>\n

Click to view slideshow.<\/a> <\/p>\n

Now what!?<\/h3>\n

Well friends, we\u2019re working on it. It used to be that the only choice users had was to root<\/a> their mobile device\u2014a risky practice that could lead to permanently destroying a device if done incorrectly.<\/p>\n

However, we may have found a method that can disable FWUpgradeProvider<\/em> (and other preinstalled apps) without rooting. This method uses a PC tool called Debloater<\/a>. This tool was created by the powerful XDA Developers<\/a> forum user\u00a0gatesjunior<\/a>. The tool uses an exploit found in versions 4.x.x of the Android OS, which luckily is what many phones with FWUpgradeProvider<\/em> are running. For a full tutorial, see Disabling Adups via Debloater<\/a> posted on our support forum.<\/p>\n

Deep breaths<\/h3>\n

Regretfully, the solution listed above isn\u2019t much of a solution\u2014it hasn’t fully been tested and we can’t guarantee it won’t cause damage to the mobile device. Consequently, we understand that many users are not comfortable attempting this method.<\/p>\n

As it stands, FWUpgradeProvider <\/em>is categorized as a PUP\/Riskware. PUP, or Potentially Unwanted Program<\/a>, means that it is not malware, and therefore not as threatening. Riskware means that it\u2019s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.<\/p>\n

So, if you\u2019re asking yourself if you need to replace the phone you just bought, the answer is no<\/em>. As a standalone app, FWUpgradeProvider <\/em>is not a threat. It\u2019s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.<\/p>\n

The post Mobile Menace Monday: upping the ante on Adups<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Nathan Collier| Date: Mon, 18 Dec 2017 16:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Adups, the same China-based company caught\u00a0collecting an abundance of user data and creating a backdoor on mobile devices in 2016, has another trick up its sleeve.<\/p>\n

Categories: <\/p>\n