Security firm Kryptowire discovered that an app in some BLU Android smartphones was transmitting personal user data to a Chinese server every three days.
The unlocked smartphone company BLU has now admitted that several of its handsets have been secretly sending out personal data collected from their owners. The data was transmitted via a third-party app that was installed on six of its phones.
According to The New York Times (paywalled article), the security firm Kryptowire first discovered that an app in some of BLU's phones was transmitting data to a Chinese server every 72 hours. It's not yet clear if the data was being mined for advertising purposes or to collect intelligence for the Chinese government. However, the story adds that the company that wrote the software, Shanghai Adups Technology Company, claims the app was made for a Chinese phone manufacturer to monitor users. It also claims it was not meant to be installed on handsets sold to a U.S. audience.
BLU has since admitted that about 120,000 of its phones "had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers" via the "Wireless Update" app. The six phone models that were affected are the R1 HD, the Energy X Plus 2, the Studio Touch, the Advance 4.0 L2, the Neo XL, and the Energy Diamond.
Well, maybe that explains why BLU smartphones are so cheap...
Related Stories
[...] The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap handsets, due to a "potential security issue."
The move comes after security firm Kryptowire demonstrated last week how software in Blu's phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it "has several policies in place which take customer privacy and security seriously." She added there had been no breaches.
[...] "Because security and privacy of our customers is of the utmost importance, all BLU phone models have been made unavailable for purchase on Amazon.com until the issue is resolved," Amazon said in a statement.
[...] Blu was one of the key participants in Amazon's "Prime Exclusive Phones" program, which offered steep discounts on phones to its members in exchange for ads on their lockscreen. Blu is no longer listed on the page.
Blu cited Krytopwire executive Tom Karygiannis as saying the company didn't do anything wrong, although Karygiannis later told CNET that he didn't authorize Blu to make a public statement on his behalf. He confirmed that he spoke to Amazon to give the retailer data on his findings.
Previously:
BLU Phones Secretly Sent Personal Data to China
-- submitted from IRC
(Score: 2, Insightful) by Anonymous Coward on Wednesday November 16 2016, @02:20PM
"Well, duh."
(Score: 1, Insightful) by Anonymous Coward on Wednesday November 16 2016, @02:26PM
I bought an advance 4.0 to have as a backup phone($89 all in) I have difficulty believing they intended to monitor anyone important at that price point so for there own citizens and to sell the data to the US government on there own undesirables
(Score: 1, Insightful) by Anonymous Coward on Wednesday November 16 2016, @03:07PM
> I have difficulty believing they intended to monitor anyone important at that price point
Gov people need burner phones too. In fact, anything a gov employee uses a burner phone for would be of the highest interest to an intelligence service because either its good for blackmail or its strategic info that they really want to keep off the record.
(Score: 0) by Anonymous Coward on Wednesday November 16 2016, @03:52PM
Not a burner just unlocked..account sold separately
as a side note looking at the one I bought the named services don't seem to be on it but there is a ton of other suspect sounding stuff can't decide if it's worth it to walk through and purge or just get a new backup phone
(Score: -1, Troll) by Anonymous Coward on Wednesday November 16 2016, @06:02PM
Your personal experience is not relevant to the question of whether or not this would be valuable for espionage.
TL;DR cool story bro
(Score: 2) by Celestial on Wednesday November 16 2016, @02:38PM
The best part is that after BLU owned up to it, they said something to the effect of, "Oops, our bad. We just patched the spyware out. Your phones are now totally safe. Trust us!" Uh... huh. What little reputation they had is hopefully ruined and there will be some sort of government sanction against the company.
(Score: 2) by takyon on Wednesday November 16 2016, @04:41PM
I'm sure I have mentioned BLU around here and I have considered getting one myself. Too bad.
However, if you make a habit of wiping phones clean when you get them, then there's only the hardware left to mistrust, and that's all made in China anyway.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Informative) by Hairyfeet on Wednesday November 16 2016, @10:09PM
I have one and they are great phones, really built like tanks. If anybody bothered to RTFL it clearly says its a third party app included in some models...well who in the hell doesn't uninstall that bloatware shit? that is the first thing I do with a new phone from ANY company, get rid of all the third party crap.
One of the best things about BLU phones IMHO is just how little third party crap is included when compared to Samsung or LG, it took me less than 2 minutes when I got my phone to have a completely stock Android phone and when I updated the OS? They didn't reinstall the crap I removed.
So in a couple months I'll be buying me another BLU as mine is getting a bit long in the tooth (and sadly its getting harder and harder to find ROMs for anything but the $400+ phones) and I'm sure it'll be as rock solid as my last one whereas both my LG and my Samsung barely lasted a year. If you are like me (and many of my construction/road crew customers) that really abuse your phone? I have yet to find a phone that can take punishment like a BLU. Hell one of my customers dropped his from 20 feet up in a bucket truck, it bounced off of 2 tree limbs before hitting the ground and all it did was put a little scratch on the screen.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 0, Redundant) by Anonymous Coward on Thursday November 17 2016, @01:53AM
In many phones you cannot uninstall or disable bundled apps.
No root access means they cannot be force uninstalled.
Rooting may brick the device
(Score: 2) by Hairyfeet on Wednesday November 16 2016, @11:37PM
It now looks like it wasn't anything nearly as nefarious as TFA makes it seem. I quote "In a statement responding to Kryptowire’s report, Adups suggested the firmware discovered on the Android phones from Blu was included by mistake and was meant for use only by some specific, unnamed clients.
The customers apparently wanted Adups to provide a way to flag junk texts and calls to users. So the firm developed a customized FOTA application that collected messages and applied backend data analytics to it to identify and flag messages that fit that category. The specialized application, looks for and flags content that has been previously associated with junk messages, Adups said.
In June 2016, the customized firmware inadvertently ended up on devices sold in the US by Blu Products. When Adups learned of the issue it took measures to disable the monitoring functionality and updated the firmware so it is no longer is an issue, the Chinese firm claimed. All text messages, phone logs contact lists, and other data collected and transmitted to Adups has been deleted, the company added."
So it appears that BLU was selling some of their phones to some Chinese corps that wanted filtering and someone used the corporate images on phones intended for overseas. Kryptoware also says "It is not possible to know if Android phones from other vendors are similarly impacted without testing them" which means pretty much any phone that is also sold in China could have this corporate monitoring software.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 5, Touché) by RamiK on Wednesday November 16 2016, @03:20PM
That's ours to sell!
Verizon
compiling...
(Score: 2) by Thexalon on Wednesday November 16 2016, @08:53PM
How dare the Chinese and Verizon steal our data! It should go only to the FBI and NSA!
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Interesting) by Runaway1956 on Wednesday November 16 2016, @03:54PM
What does Google learn about you, when you use Google apps and Chrome, and the Google Play? Who else is mining American citizens for data? BLU did it, so I would imagine that any major distributor of telephones knows how to do it.
I have no more faith in American corporations than I do in Chinese corporations.
(Score: 2) by bob_super on Wednesday November 16 2016, @05:43PM
> Who else is mining [snip] citizens for data?
These days? Anyone making any kind of connected app or device, anywhere in the world. Exceptions probably exist, but they'll come to their senses soon.
(Score: 1) by tftp on Thursday November 17 2016, @05:54AM
When you play with Google Play,
Google plays with you.
(Score: 0) by Anonymous Coward on Wednesday November 16 2016, @04:32PM
Are those also bugged?
(Score: 2) by Azuma Hazuki on Wednesday November 16 2016, @05:11PM
...you have your Pyro do a Spy check ("bur. Now BLU has the intelligence!
I am "that girl" your mother warned you about...
(Score: 2, Informative) by Sourcery42 on Wednesday November 16 2016, @06:22PM
Great its CarrierIQ 2.0. https://en.wikipedia.org/wiki/Carrier_IQ [wikipedia.org]
And ADUPS sounds even more invasive except for the keylogging http://www1-lw.xda-cdn.com/files/2016/11/adups_security_analysis_figure1.png [xda-cdn.com]
Sounds like some ZTE and Huawei products may be affected too.