Adups is back on our radar. The same China-based company caught collecting an abundance of user data and creating a backdoor on mobile devices in 2016 has another malicious card to throw down. This time, it’s an auto installer we detect as Android/PUP.Riskware.Autoins.Fota.
We thought they cleaned up their act
When the headlines about Adups came out in 2016, it forced the company to update a component known under the package name com.adups.fota. The new version was clean of wrongdoing, and we all went about on our collective our ways.
However, it appears there was a lingering component we overlooked. It comes with the package names com.adups.fota.sysoper and com.fw.upgrade.sysoper, appears in the app list as UpgradeSys, and has the filename FWUpgradeProvider.apk.
They call it FWUpgradeProvider
An auto-installer is only threatening if it has system-level rights, which (unfortunately), FWUpgradeProvider does. “How?” you may ask. Because it comes preinstalled on various devices. Thus, by default it has system level privileges. Essentially, this allows it to install and/or update apps without a user’s knowledge or consent.
The trend of preinstalled PUP/malware has been on the rise. Historically, these cases were isolated to budget mobile devices bought from online stores. However, with FWUpgradeProvider, there are reports of it being installed on phones bought from legitimate phone carriers in countries such as the UK.
Cannot remove, cannot disable
Preinstalled system apps cannot be removed from a mobile device. Therefore, full remediation is not possible with anti-malware scanners. However, it is possible to disable these systems apps. Malwarebytes for Android walks you through how to disable a system app that it detects as PUP/malware. No big deal, right? Well, here’s the kicker. Recently, it was brought to our attention by many frustrated customers that FWUpgradeProvider cannot, I repeat, CANNOT, be disabled.
Now what!?
Well friends, we’re working on it. It used to be that the only choice users had was to root their mobile device—a risky practice that could lead to permanently destroying a device if done incorrectly.
Thankfully, we found a method that can uninstall FWUpgradeProvider (and other preinstalled apps) without rooting! However, this method only uninstalls for current user, not all the users. Thus, it will still reside on the device, but it will no longer be functional. For a full tutorial, see Removal instructions for Adups posted on our support forum.
Deep breaths
Due to the requirement of having to have some technical ability, we understand that some users are not comfortable attempting this method listed above.
As it stands, FWUpgradeProvider is categorized as a PUP/Riskware. PUP, or Potentially Unwanted Program, means that it is not malware, and therefore not as threatening. Riskware means that it’s something that could be potentially risky. Yes, it does have auto-installing capabilities. Rest assured, though, that if anything truly malicious installs on your device, we will detect it.
So, if you’re asking yourself if you need to replace the phone you just bought, the answer is no. As a standalone app, FWUpgradeProvider is not a threat. It’s the potential to install other more dangerous apps that prompts us to detect. Hopefully, bringing public attention to this will once again alert Adups to clean things up. If not, we will remain vigilant of any malicious apps it may try to install.
i got this on my phone O+ Compact Pro, i know O+ went AWOL on their devices so no more warranties and id be willing to root my device, but currently there is no easy way to root my phone only thru the manual rooting which is very much likely to brick my phone. And because of that i tried the debloater but it didn’t worked, when i scanned again it FWupgradeprovider.apk is still there and active, when i switch to my phones’ setting FWupgrade can be disabled so i disabled it there after a day, an unknown app installed (again), it was called enginee (another app is called infoprovider which is found to be a virus) and yes the FWupgrade which i disabled is now enabled, creepy riskware whatever you call it, it has to go
i hope someone find a way to remove this without rooting
Let me guess, your from Ph. You ordered it in lazada for an amazing 70/80% discount? If you are, your not alone.
**** that enginee and infoprovide. If you manage to root your phone please share how.m
rooting is risky, but that two apps is more dangerous than rooting so ill have to root my phone
I bought the phone in question from a UK high street mobile phone chain store, if memory serves me correct it was Argos.
12 months later the phone now has an ‘antivirus’ app that has appeared on the home screen and another app store that looks very much like Google Play but is not Google Play.
Malwarebytes does indeed discover adups.fota.sysoper and the option to disable UpgradeSys does not appear to be available.
The phone’s owner told me that they got the ’99p Subscription’ scam message from Whatsapp this week and clicked on it. This might be a coincidence but the ‘fancy’ looking ‘antivirus’ and ‘boost’ and ‘play store’ appeared the next day.
I’m not too sure if this can be blamed on where the phone was purchased from, I sincerely hope not as it was not bought from a discount store! I hope that somebody can get to the bottom of this too, the ‘antivirus’ app and the ‘boost’ apps keep delivering adverts from organisations that I would normally deem to be reputable, one being City of Westminster College!
Gobsmacked and baffled right now!