A writer for Linux Journal, Charles Fisher, has blasted the new Barnes & Noble NOOK Tablet, model number BNTV450, for shipping with ADUPS software. This device has a temptingly low price of $50 and this might make it an affordable Christmas gift. However, Fisher warns against this because of the ADUPS software. Why is this important? Because ADUPS software is able to read all data on the device and transmit it to a remote server. And by “all data on the device” this really does mean what it says: anything on the device can be bundled up and transmitted to a remote server. ADUPS can transmit this data without the user knowing that it is happening. According to Fisher, devices containing the ADUPS software should be considered “compromised.” Even if the software is not activated at the time of shipping, should the ADUPS application be triggered, this would happen without any user intervention. If ADUPS seems familiar, this is because it is the same application that was included with the BLU R1 HD smartphone – and it also caused a fuss, because for the BLU device the software was sending information back to a Chinese server. In the case of the BLU R1 HD device, a software update removed the application but before then, customers could disable the ADUPS app. In the case of the new $50 Barnes & Noble tablet, this is not currently possible.
What exactly is ADUPS? It is described as a Chinese “Android firmware provisioning” company, which specialises in collecting Android device and user data, installing hostile applications and taking control of device firmware. ADUPS’ website explains that the software is capable of pushing apps to devices, data mining, unique package checking and mobile advertising services. The director of research at Kryptowire, Azzedine Benameur, explained that a device running ADUPS should be considered to be permanently compromised and come with a disclosure explaining “owners can expect zero privacy or control while using it.” ADUPS is installed on the device as a fully privileged OS component and as such is not detected by traditional malware scanners. Interestingly enough, Google has blacklisted the ADUPS agent in the Android Compatibility Test Suite (CTS). This means that ROMs containing the code should not also contain Google’s services, such as the Google Play Store. However, Fisher states that one of the reasons why ADUPS is included on the BNTV450 is because the chipset designer, MediaTek, have protected the ADUPS code from the Google security scan.
For the Barnes & Noble BNTV450, what does this mean? This particular $50 tablet has been conceived rather differently compared with previous devices. The 7.0-inch tablet is manufactured by Shenzhen Jingwah IT and is based around the MediaTek MT8163 chipset, which is a quad core, 64-bit entry level System-on-Chip. Previous Barnes & Noble tablets have been based around either the Texas Instruments OMAP or Qualcomm Snapdragon chipsets and runs a lightly modified version of Android 6.0 Marshmallow. At this time, Barnes & Noble have not released a statement so we do not know if they are to update devices by removing the code. Meanwhile, a complaint has been opened with the Federal Trade Commission.