January 25, 2021

Micromax Remotely Installing Unwanted Apps on Devices: Reports


Android smartphone OEMs have in the past been blamed for filling their devices with bloatware that cannot be removed from the device, and as a result eat up too much of the limited storage on smartphones. However, in the past no major manufacturer was seen to be installing apps on their smartphones after selling them, and most definitely not without user permission or notification.

Reports are emerging that some Micromax handset owners are seeing the remote installation of apps without any consent or announcement. Some users have even reported about frequent display of ads in the notification bar of their Micromax handsets. Several of these user reports made their way to Reddit recently.

One of the Reddit posts says, “For the last month or so, I’ve noticed apps that I never installed – apps like newshunt, snapdeal, amazon.in etc. These aren’t exactly light apps, mind you – they’re at least 7-8MB each. Space is really short.”

XDA Developers reports that it began looking into the issue after a couple of Reddit posts detailed instances where a Micromax smartphone was involved in data mining. It found that Micromax has replaced the Google’s Android firmware OTA service with a third-party app called FWupgrade.apk by a Chinese company called Adups. It also adds that the third-party FOTA app installed by the company onto handsets downloads apps in the background without the need of any consent from the user while also showing multiple ads at once.

XDA, explaining the ways in which an app can install another app, said, “To do this from within another app, you either need to use the Android PackageManager API directly, or issue the installation commands from a shell.” The report claims Adups’ FOTA app uses the second method to install with command line access.

The issue has certainly raised eyebrows as the auto-install of such apps could eat up a lot of the inbuilt storage of the smartphone as well as use mobile data in the background to install apps. Not to mention the nuisance and security risk of having ads for potentially dangerous applications being displayed.

The report, after digging some more into the app, found references to the Adups website and even came up with a list of features of the FOTA app with promise to “Boost more revenue”. The features listed were “App push service. Device Data Mining. Unique package checking. Mobile advertising.” While XDA and users have either noticed or found evidence for three out of four of these features, the scariest, device data mining, remains unexplored. Exactly what data is being collected, and to whom is it being sent, and is it being sent securely, are questions we’d like answered. Also, by enabling command line access to a third-party app, Micromax has also “practically left a backdoor open for the sake of profits and data mining”, notes Slashgear.

The most worrying fact here is that Micromax is obviously aware of Adups’ FOTA app installer and how it works. For a company of Micromax’s size, it is surprising it would be resorting to such a method for monetisation. Also, without explicit user permission to perform the functions it does, the app can be termed as malware.

The report finds the only way to disable the app is by rooting the smartphone – as the disable button has been deactivated – and then going through some relatively complicated steps to finally disable it. This also disables the smartphone’s ability to search for updates.

We’ve reached out to Micromax to respond to these reports, and will update this post once we hear back.