Malware by the name of ADUPS has been discovered this week that the most recent version of the Barnes & Noble NOOK tablet. This is a device available for sale from Barnes & Noble currently, and the device works with ADUPS inside when first taken out of its box. Whatever you do, gift receiver on the eve or morn of your favorite holiday, do not connect that NOOK to the internet and start signing in to accounts – hold off!
Information about this appearance of malware aboard the NOOK comes from Database Administrator and Android Security researcher Charles Fisher. Fisher writes for Linux Journal, where he’s suggested that this malware is the same that was found to plague BLU devices just this past week. As Fisher suggested this week, “In the aftermath of the BLU data theft, ADUPS hostile data collection and control over Android may (or may not) be temporarily quelled, but harmful capability remains with the ADUPS agent.”
Fisher continued, “Devices running ADUPS should be considered under malicious control, and they should not be used with sensitive data of any kind.” This malware was found to be able to execute the following, according to Kryptowire. Some of these actions are relatively harmless – but they’re mostly extremely unusual, if not outright dangerous.
• SMS Recording
• SMS Transmission
• IMEI Exfilration
• IMSI (Transmission)
• Call Log Transmission
• Call Contact Information Transmission
• Location Collection and Transmission
• Command Injection
• Remote User Application Update
• Remote User Application Install
• Transmit List of Installed Applications
• Transmit order of application execution
• Programmatic Firmware Update
• Remote Execution and Privilege Escalation (without user notification or request)
• IP Address (Transmission)
• Name (for contacts)
This ADUPS malware comes aboard the Barnes & Noble $49 (or thereabouts) NOOK tablet with code-name BNTV450. This is also known as the NOOK Tablet 7″, available from Barnes & Noble right this minute with a full 4.5-star rating. This device appears to have such a high rating because its users don’t have any clue that malware is present. This malware doesn’t present itself as such – it’s hidden. It does its nasty deeds without the knowledge of the user.
Barnes and Noble’s Chief Digital Officer Fred Argir submitted the following statement to the press, “NOOK Tablet 7” went on sale on November 26. By that time, the device automatically updated to a newer version of ADUPS (5.5), which has been certified as complying with Google’s security requirements, when first connected to Wi-Fi.”
This, of course, isn’t good enough as many users will go out of their way to avoid notifications of updates, even if they’re recommended by the company that made the device. Especially on a holiday where the NOOK is given as a gift, there’s not going to be time for many users to update their tablet – they’re going to want to try the device out as soon as possible.
“ADUPS has confirmed to Barnes & Noble that it never collected any personally identifiable information or location data from NOOK Tablet 7-inch devices, nor will it do so in the future,” said Argir. “Finally, we are working on a software update to remove ADUPS completely from the NOOK Tablet 7”. That update will be made available to download within the next few weeks, but in the meantime customers can rest assured that the device is safe to use.”
Fisher offered the following advice to Barnes & Noble this week in light of the discovery of ADUPS running free aboard their tablet:
“To Barnes & Noble, your devices with production software should be reviewed by security specialists before a release to manufacturing. Had Kryptowire, NowSecure or Zimperium assesed the security of this Android release, they would certainly have halted attempts to market an Android version with blacklisted malware and an open CVE. Far better to miss the Christmas sales season than to see your customers’ vital data in a Chinese database beyond your jurisdiction.”
We’ll be watching this set of events as they unfold over the next few weeks. Until rectified completely, we recommend – at least – to refrain from using the NOOK 7-inch tablet for now. Certainly don’t open the box, sign in to user accounts, and begin reading books. Hold on, sit tight, and avoid the pain.