If you are a Micromax user, you may have noticed a few apps pre-installed which are nothing but bloatwares, but no the situation gets worse.

Micromax installing apps without permission
Micromax installing apps without permission

If you have used Micromax smartphones, or bought your first one like I did after I was convinced enough that the Indian brand is launching pretty good handsets, you might have come across some apps pre-installed on your device, like miUnlock, M!Doodle, M!Security and some stupid apps which can do nothing for you. I bought the Micromax canvas Nitro and immediately uninstalled them after rooting the phone, but that can’t be done if your device is not rooted. Now, a recent report from XDA Developers indicate that Micromax is actually installing apps remotely on their smartphones and that doesn’t require an permission from the user.

Now, this possesses some risk:

  1. You will have no idea where these apps came from (original or malicious), nor you will know the apps permissions.

  2. Micromax handsets have around 5 GB internal space so the space is luxury, and these apps will consume some storage.

  3. The apps are installed remotely, so you will never know when yyourmobile data is being used and the data plan is being consumed.

XDA Developers explained how this is done and how Micromax is doing all these, surprisingly the XDA Developers found the reason behind this: Money. Below is the input from XDA, which explains everything.

When starting to tear down the application (which is actually called FWUpgrade.apk on your filesystem), the first thing you notice is that it’s a third-party application. A Chinese company named Adups developed it as a replacement for the stock Google OTA service. Apparently, Micromax decided to use it instead of the stock one. The first hurdle you need to take for further analysis is the byte code level obfuscation, and most of the sources are really not a pleasure to read. However, if you know what you’re looking for, the app can’t hide its true nature. The evidence presented here starts out with a bit of code that shows you the potential abilities of this app and closes off with something even more interesting.

Let’s start with the silently installed apps. To do this from within another app, you either need to use the Android PackageManager API directly, or issue the installation commands from a shell. The second case is true here, as the following pieces of code show (note: this is simplified java code, the actual code looks a bit different due to the obfuscation):

StringBuilder sb = new StringBuilder(“pm install -r “);
sb.append(s2);

String cmd = sb.toString();

Here you can see a newly created StringBuilder containing the command pm install, followed by s2, which in this case is a string variable containing a file system path to a downloaded apk file. The finished string then gets passed to a new method doing something like this:

ProcessBuilder processbuilder = new ProcessBuilder(cmd);
Process process = processbuilder.start();

Here you can see that the string with the shell command is used to start-up a process which executes said command and in fact silently installs the apk file. At this point we can be fairly certain that the OTA check service in Micromax ROMs can not only download and flash system OTAs but also has the ability to silently install apps. This in itself doesn’t mean too much as it’s not necessarily a bad thing, but there’s more to come.

Inside the app I found a few references to the company’s website, including one that has an extensive feature list. Shall we have a look at the most interesting part?

adups_evidence

There you have it, in the company’s own words. App push service. Device Data Mining. Mobile advertising. That matches pretty nicely the initial report on reddit, don’t you think? So, the bad guy here is in fact Micromax since these are official features of the app by Adups, and it’s more than likely that Micromax is getting revenue from the forced app installs and notification ads. They also chose to go with this provider and not use their own servers together with Google’s stock OTA service, so they were fully aware of what impact this would have on their users.

Hope, you have heard about XDA and know about their reputation, still I would like to add another evidence. I found a new app named as M!live, which never existed in my phone, but it got installed remotely and just see the video to know what it is. Seriously, that app is one of the worst apps I have ever seen in my whole journey in the Android smartphones experience, full of ads, pop ups and all the craps they could put in the app. In the video I have also included how to remove it, though this process is temporary and doesn’t guarantee that the app won’t be installed again.