Blocking Android spyware Adups

yoast · ‎11-15-2016

In view of the news that Adups has illegally put spyware in many Android Phones (http://www.kryptowire.com/adups_security_analysis.html and http://www.theregister.co.uk/2016/11/15/android_phoning_home_to_china/ )

I have blocked (in my router-rules as well as opendns)

bigdata.adups.com
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn

They all resolve to the same IP address – 221.228.214.101

and

rebootv5.adsunflower.com with IP address: 61.160.47.15

I know I have had 1 warning in the past from Opendns that 1 malware had been active on my network. I am wondering if opendnse could report in our status-reports which phones had contacteed those sites and or been contacted from the command sites? My list of domains does not include any of them, so I am probably clean, bu still I have only limited history.

mattwilson9090 · ‎11-16-2016

OpenDNS Home does not provide any capability to determine what device on your network attempts to lookup a particular domain. That feature is only available with certain paid OpenDNS, generally via an agent, but I do not think one is available for any version of Android.

yoast · ‎11-16-2016

I do not think I need to kno what device attemempts to lookup a domain. I just need the domain(s) to block and I would like Opendns to create a list of "Spyware Activity" if any host on the network tries to contact that blocked domain.

OpenDNS already alerts for malware-activity.

What is th best way to ask Opendns to provide this kind of capability?

rotblitz · ‎11-16-2016

"OpenDNS already alerts for malware-activity."

The malware protection for the home versions is pretty limited:
At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit
Or are you using an Umbrella version with enhanced malware protection?

"I just need the domain(s) to block"

You already did this with adding the related domains to your blacklist.

"I would like Opendns to create a list of "Spyware Activity" if any host on the network tries to contact that blocked domain."

These domains which you blacklisted are marked as being blocked in your dashboard stats.
https://dashboard.opendns.com/stats/all/blockeddomains
You also can suggest a new category like "Spyware": https://community.opendns.com/domaintagging/categories (scroll to the bottom of the page)
Or you can apply for malware tagging: https://community.opendns.com/domaintagging/malware_application.php

"What is th best way to ask Opendns to provide this kind of capability?"

This is what I have listed above. In addition you may raise a support ticket with OpenDNS.
https://support.opendns.com/hc/en-us/requests/new
Or you raise this as an idea in the idea bank if it has not been raised already.
https://support.opendns.com/hc/en-us/community/topics/201090987

yoast · ‎11-16-2016

Thanks for your time.

Listing the bocked domain use is probably the handiest option. That way can always figure out later what the source-host was.

I still think that including the domains in a malware-report to the end-user may be handy. The advanatage would be that owners of phones that actively uppload data trigger warnings. .

rotblitz · ‎11-17-2016

I believe the Umbrella line of services come with such a malware report.

mohreustr · ‎11-20-2016

Hi yoast, I'll take a look at the domains you posted and if they are malware related they'll be blocked.

Update: The domains you posted are not malicious. They have roots in advertising and have been added for votes towards advertising. The server they are running on is located in China hence the .cn, the IP address is different. I'll keep tabs on the domains as the servers look to be misconfigured or just going up.

MohreusTR

Vollunteer Security Researcher