Who remembers the past allegations against Xiaomi for sending device data back to China? I’m sure quite a few of you do. But this time it’s not the Chinese. It’s an Indian company. Infact a well known Indian company who might be stealing our data and doing other intrusive things to our smartphones. It’s Micromax. And the allegations against them are quite serious. Let’s have a look at them, shall we(with help from XDA)?
Edit: They took down their website but they put up a new one and this is even more damning. New Website appended with links and photograph.
The several complaints are listed below:
- Remotely installing apps without the users permission
- Filling up the already crammed internal memory with more bloatware app
- Downloading apps using the cellular data network and using up expensive cellular data
- Pushing up to 8 to 10 notifications in the notification bar.A reddit user reports that looking up the responsible app for these disturbing notifications, he was presented with a system app called “Software Update”.
Now these sound absolutely horrible, don’t they? Thus, we decided to tear down said app and have a look at what’s inside. Onwards with our investigation.
FWUpgrade.apk. Yes this is the name of the app. This app has been developed by Adups. Micromax uses this app instead of the stock Google Update. Fishy eh? Well it gets better from here.
This app has been silently installing apps according to the allegations. To do this from within another app, you either need to use the Android PackageManager API directly, or issue the installation commands from a shell. The second case is true here, as the following pieces of code show (note: this is simplified java code, the actual code looks a bit different due to the various efforts at hiding the true cause by obstrufication )
StringBuilder sb = new StringBuilder(“pm install -r “);
String cmd = sb.toString();
Here you can see a newly created StringBuilder intent containing the command pm install, followed by s2, which is a string variable containing a file system path to a downloaded apk file. The finished string then gets passed to a new method doing something like this:
ProcessBuilder processbuilder = new ProcessBuilder(cmd);
Process process = processbuilder.start();
Here a shell command is used to start-up a process which opens up the string command intent that can silently installs the apk file. Now from this we can fairly ascertain that the OTA service from Micromax can install apks silently and without user consent.
Digging further in we find references to this website(linked below). Shall we have a look at their feature set? Click on this link to see them for yourself (They took this website down but we dug around even more)
These are their features and I quote “App push service. Device Data Mining. Mobile advertising.” That seems to coincide with the initial report on reddit. These are official features of the app by Adups, and it’s more than likely that Micromax is getting revenue from the forced app installs and notification ads. What is interesting to note is the fact that Micromax presumably knew this, and just to get some more money choose to bundle this app instead of the original one from Google. So it would seem Micromax intentionally put their users at risk
Edit: This is their new site.
The Temporary Solution
So how do we stop this alleged takeover of our device by Micromax. After all our privacy and our data plans are at stake.
Root your device. Our website has an extensive guide for Micromax devices from where you can choose and root your device. This is important because disabling this app doesn’t work as it will auto start (system apps can do that)
Next up, you will have to install ADB. Read how to in this link.
Get ADB set up and execute the following command:
adb shell pm disable com.adups.fota
You can read more about the usage of this command in this tutorial about disabling apps with root access. In case you need the app back (for example when a new update is ready) you can easily enable it again with this command:
adb shell pm enable com.adups.fota
This is indeed a very unfortunate situation where we seem to find ourselves at this point of time. It seems that the one doing the spying is not really Xiaomi but the so called “indian company” Micromax. I’m sure you people have plenty to say. Please feel free to voice off in the comments below