
This last week a debate flared up between a security company Kryptowire, and a cell phone manufacturer BLU, over the possible inclusion of spyware (ADUPS) in BLU phones. Kryptowire initially made their claim in November, then reiterated it last week with more detailed findings. At one point last week, Amazon halted sales of the BLU phones, then re-listed them after BLU issued a statement saying the ADUPS software was normal and wasn’t capturing any sensitive data.
We here at Senrio, didn’t reverse engineer any of the firmware, so I can’t say for sure whether the ADUPS software is sending private information to it’s servers. But, we wanted to show you how you can leverage Senrio Insight to determine if any of the phones in question connected to your network, and if it was communicating to one of the published domains listed in the Kryptowire report.
We here at Senrio, didn’t reverse engineer any of the firmware, so I can’t say for sure whether the ADUPS software is sending private information to it’s servers. But, we wanted to show you how you can leverage Senrio Insight to determine if any of the phones in question connected to your network, and if it was communicating to one of the published domains listed in the Kryptowire report.
You can ask Senrio questions, and it will give you answers. You can ask it: "Are there any jailbroken phones on my network?" and in seconds, you'll know!
Imagine for a moment you have a BYOD enterprise, where you allow your employees to bring any device into the office and use that device for corporate emails, texts, etc. How would you know if an employee had a BLU phone? Senrio Insight can help.
The first step is to see what android devices you have on you network. With Senrio, this is easy. Senrio is a "Device Intelligence" platform that you can ask questions. You can ask it if there are any Android phones on your network or even if there are any Jailbroken phones on your network.... For our case, we can simply log in and search for “Android” to view our identification and behavior tags to see all Android devices
The first step is to see what android devices you have on you network. With Senrio, this is easy. Senrio is a "Device Intelligence" platform that you can ask questions. You can ask it if there are any Android phones on your network or even if there are any Jailbroken phones on your network.... For our case, we can simply log in and search for “Android” to view our identification and behavior tags to see all Android devices
The Senrio tag system uses many heuristics and other techniques to identify devices, and as you can see we have several devices on the network that match our search term. But in this case, we are looking for a BLU phone, and we have a very easy way to track that down. We can search for the manufacture “BLU”. It turns out we have one matching phone. The Senrio engine detected this automatically and tagged it accordingly, there was no user-input required.
Ok - so we do have a BLU phone on the network. I wonder if it’s making connections out to any of the domains in question. The Kryptowire report claims several domains are used for both C&C and data exfiltration. One of the first domains in question is adups.com. Let's see if we can find it.
The first thing we do is select the phone and look at the device details. One of the best features in the device details is the “Flow” view. This provides a net-flow like view of all the connections both inbound and outbound for the selected device.
The first thing we do is select the phone and look at the device details. One of the best features in the device details is the “Flow” view. This provides a net-flow like view of all the connections both inbound and outbound for the selected device.
While I could scroll through the list, it’s much easier to look at the “Summaries” which provide an aggregated view of all the connections. I can pull that up and search for adups.com
Yes, we have a match! That phone is connecting out to one of the domains listed by Kryptowire. Now, you might be a little worried that maybe more devices on our network are inflicted. Let's see if we have any other phones connecting to that domain. Senrio Insight has a search capability that allows us to search for all outbound connections. Lets enter that dns name and see what we find.
PHEW! Thankfully, in our case this phone is the only one connecting to this host. And as you can see from the first line, a decent amount of data was exchanged during one of the initial connections. It appears that this application is programmed to connect out to the "adups" server everyday at around 12:15 pm.
Conclusions...
Senrio Insight makes it very easy to gain visibility into what’s on your network and what it’s doing. In just a few minutes time we can see the devices Senrio automatically identified as Android devices, and even pick out individual manufacturers. From there we can quickly search through traffic history and identify the network connections in question. With Senrio as our device intelligence platform, in seconds, we have complete device visibility and awareness! Thus alleviating our anxieties.
So how can YOU answer questions about devices on your network? Is it this easy? If not, reach out to learn how we can help.
So how can YOU answer questions about devices on your network? Is it this easy? If not, reach out to learn how we can help.