S0309: Adups
Analyst context for executives and security teams
Adups matters because it represents mobile software reportedly pre-installed on Android devices that transferred sensitive user data to a server outside the user’s control. For leaders, the key issue is not only malware response; it is trust in the mobile device supply chain, especially where employee-owned or corporate-managed phones may hold contacts, call metadata, SMS content, location history, or business communications.
Executive priority
Prioritize this as a mobile supply-chain and data governance risk. Executives should ask whether mobile device procurement, bring-your-own-device access, and compliance evidence can identify pre-installed or high-risk system software that collects sensitive data. The business decision is whether mobile access to corporate resources is conditioned on device trust, software inventory, permissions visibility, and the ability to investigate suspected data exposure.
Technical view
ATT&CK provides no official detection text, so SOC and IR teams should validate coverage from the related behaviors: location tracking, software supply-chain compromise, call log access, contact list access, and SMS message access. For Android environments, confirm whether mobile management or endpoint telemetry can inventory installed and pre-installed applications, review sensitive permissions, identify access to call logs, contacts, SMS, and location, and observe network connections associated with suspicious data transfer. Treat findings carefully because some permissions and background services may be legitimate for carrier, OEM, or management functions.
Likely telemetry
- Mobile device inventory and enrolled device posture records
- Installed and pre-installed application/package inventory
- Android application permission grants for location, contacts, call logs, and SMS where available
- Mobile network connection metadata or DNS/proxy logs where collected
- MDM/UEM compliance, configuration, and app risk signals
Detection direction
- Baseline approved mobile device models, firmware/software loads, and pre-installed packages before allowing access to corporate data.
- Hunt for unexpected or excessive access to location, contact list, call log, or SMS data, especially by software that users cannot easily remove.
- Correlate mobile software inventory with network egress evidence when available; absence of mobile network telemetry is a common blind spot.
- Tune alerts to account for legitimate OEM, carrier, backup, messaging, and device-management components to reduce false positives.
- Use the related supply-chain technique context to expand scoping beyond a single app name: compromised or unwanted behavior may be introduced before the final consumer receives the device.
Mitigation priorities
- Establish mobile procurement and BYOD policies that require trusted device sources, supported operating system versions, and managed access controls.
- Require MDM/UEM enrollment or equivalent posture validation for devices accessing corporate resources.
- Limit corporate data access from devices with unknown software provenance, unmanaged pre-installed software risk, or unreviewed sensitive permissions.
- Maintain an approved device and application baseline, including review of OEM or carrier-installed software where feasible.
- Prepare IR playbooks for mobile data exposure that include device scoping, permission review, network evidence collection, user notification decisions, and compliance documentation.
Analyst notes and limits
The supplied ATT&CK object identifies Adups as pre-installed Android software and links it to reported transfer of sensitive data, with relationships to location tracking, call log, contact list, SMS message collection, and software supply-chain compromise. The strongest defensive value is in validating mobile supply-chain governance and whether the organization can see sensitive mobile data access at all.
ATT&CK does not provide official detection guidance, tactics, aliases, labels, or object-level platforms for this software entry. The object description supports Android context, and related techniques list Android and iOS platforms, but this summary should not be read as evidence of current activity, attribution, or guaranteed detectability in any environment. Local device inventory, mobile management coverage, and network logging determine practical confidence.
Adups
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.004 | SMS Messages Sub-technique | Adups transmitted the full contents of text messages.CitationNYTimes-BackDoor |
| Mobile | T1474.003 | Compromise Software Supply Chain Sub-technique | Adups was pre-installed on Android devices from some vendors.CitationNYTimes-BackDoorCitationBankInfoSecurity-BackDoor |
| Mobile | T1430 | Location Tracking | Adups transmitted location information.CitationNYTimes-BackDoor |
| Mobile | T1636.003 | Contact List Sub-technique | Adups transmitted contact lists.CitationNYTimes-BackDoor |
| Mobile | T1636.002 | Call Log Sub-technique | Adups transmitted call logs.CitationNYTimes-BackDoor |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4994525aa472… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NYTimes-BackDoor
Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.
Open source URL -
[2]
BankInfoSecurity-BackDoor
Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.
Open source URL -
[3]
Adups
(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)
-
[4]
mitre-attack S0309Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.