What is "com.adups.patch"

Mats

What I'm saying is that
A) There's no indication in any vulnerability report stating a specific version, all versions or anything in between of adups has been investigated. We can only speculate, but if I found such a vulnerability, I'd check more than one version of the affected software, and list devices that run any of the versions  found to be vulnerable. But we don't really know for sure.
B) Bence says we're safe (if we don't install the upcoming Nougat beta). I've found him/her trustworthy so far, and feel I have no reason to distrust him in this one.

mrrog

Mats replied at 2016-12-7 21:21
What I'm saying is that
A) There's no indication in any vulnerability report stating a specific vers ...

OK, not to sure again of what your saying, even if you have not read as such it seems to me that Bence does think the vulnerability belongs to a specific version, I.e. the one they have installed on the beta version, so unless Bence or somebody else has read and can confirm no other versions are affected then my suspicion is they may well be!

Localhorst86

mrrog replied at 2016-12-8 01:02
OK, not to sure again of what your saying, even if you have not read as such it seems to me that B ...

Several News outlets report that the affected versions are 5.0.X to 5.3.X (http://www.techradar.com/news/be ... o-a-server-in-china for example). According to Adups itself, the affected versions are actually custom versions made specifically for one client (BLU, presumably): http://www.adups.com/article/show_article.php?id=162

If, however, you still feel uncomfortable you can disable both adups services on your phone to keep you from sleepless nights. Disabling these services will not reduce the functions of your phone appart from not being notified or being able to download new FOTA updates. For me this is fine as I prefer a "fresh" setup with SP Flash Tool anyways.

mrrog

Localhorst86 replied at 2016-12-8 16:12
Several News outlets report that the affected versions are 5.0.X to 5.3.X (http://www.techradar.co ...

OK, here is the best article I can find on it:

http://www.darkreading.com/mobil ... hina/d/d-id/1327498

Reading it confirms my suspicion that the methodology of the tests was based around a phone rather than the software itself, I.e. they did not check any versions other than those found on the phones they were interested in, which leaves a big question mark over all the adups fota software, and is indeed the conclusion drawn by kryptowire when they extended the risk to the market presence figures provided by adups themselves. However adups does say the version on the blu phones was a customised version installed in error, unfortunately they do not appear to have responded to follow up queries, which causes me to doubt the transparency of their position.

It seems to me there is a significant risk the fota behaviour extends beyond the versions of the software examined by kryptowire, so while it may be correct to say versions 5.0.x to 5.3.x were the only ones found with the vulnerability, this is likely because these were the only versions examined.

If somebody is aware of other adups fota software versions being examined, and found free of the spyware, I will happily stand corrected?