Why it matters to you
Some Blu phone models might be infected with Chinese malware that steals data.
On Tuesday, the online retailer said that it was suspending the sale of Blu phones because of a “potential security issue” on the company’s cheaper models. “Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” an Amazon spokesperson said in a statement.
Blu was a key member of Amazon’s Prime Exclusive Phones program, which offered discounts on unlocked phones in exchange for ads on the lock screen. The company’s phones are no longer listed on the page.
Amazon’s decision comes a month after security firm Kryptowire demonstrated that apps on Blu phones were recording keystrokes, call logs, browser history, and unique phone identifiers like the MAC address and IMEI. In a report published in July, Kryptowire wrote that Shanghai Adups Technology, the company behind the data-collecting apps, was funneling the data to servers in China.
Kryptowire looked at more than 20 pieces of firmware for Blu phones, all of which contained exploits stemming from faulty MediaTek code. They used privilege escalation, a technique that gives certain apps more permissions than they’d normally have, to establish a command an control channel — a communications route with unfettered access to a device’s software. By executing commands as if they were the user, Adups apps could install apps, take screenshots, record the screen, make calls, and wipe devices.
MediaTek said it resolved the issue in November, but a number of Blu phone models, including the Blu Advance 5.0, haven’t received a security patch.
Blu said that is “has several policies in place which take customer privacy and security very seriously,” and Adups called it a “mistake.” But analysts at Kryptowire claims to have detected the spying software on at least three different phones.
Ryan Johnson, a research engineer and co-founder at Kryptowire, said that in May he observed Blu’s R1 HD and Grand M sending data to China containing the phone number, cell phone tower ID, and browser bookmarks.
“[It’s] generally [enough to] locate a person, presuming they’re in an urban area,” Johnson said. “It seems pretty widespread around lower-end phones.”
In a follow-up statement provided to ZDNet, Blu said that Adups software was only on some older devices, and that new phones would use Google’s Over-The-Air software.
“Blu decided to switch the Adups OTA application on future devices with Google’s GOTA,” Blu said. “Even though it is Blu’s policy to only use GOTA moving forward, some older devices still use Adups OTA.”
We’ve reached out to Amazon and Blu for comment.