Following the revelation of shock findings from a security research firm at the Black Hat conference about the questionable firmware BLU uses from a vendor called Shanghai Adups, Amazon has told CNET that it has stopped sales of that company’s smartphones pending a “potential security issue.”
“Because security and privacy of our customers is of the utmost importance, all BLU phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” Amazon said in a statement.
Kryptowire researcher Ryan Johnson, who found that BLU phones were sending all sorts of data to Shanghai Adups servers in China last November, performed more testing and found the invasive software on other models, generally on the budget spectrum. Those budget phones have ranked very popularly on Amazon’s unlocked phones section. The firmware was also found to be vulnerable to malicious hackers and could be exploited to install apps on the device and wipe its data.
BLU and Shanghai Adups have defended the firmware, with the latter insisting that there have been security breaches. Adups has called Kryptowire’s latest presentation “slander” and has said that the same firm approved of revised firmware on the devices it had tested in November.
“We condemn the conduct of Kryptowire in the name of a third party company security protection to seeking commercial interests. At the same time, we will also retain the legitimate measures to resist Kryptowire for its malicious defamation behavior,” the company said in a statement.[alert variation=”alert-warning”]Update: BLU also released a statement yesterday afternoon retreading its defense of the firmware from November. The company is criticizing media attention on Chinese servers and insists that only basic information is being collected — Johnson claims that the activity has been more vigorously concealed.[/alert]
As of this weekend, Best Buy still displayed BLU phones as part of its in-store unlocked device showcase.[alert variation=”alert-warning”]Update 2: BLU has commented on the Amazon sales stoppage. The statement reads in full:
Since Nov 2016 when the initial privacy concern was reported by Kryptowire, which BLU quickly remedied, Amazon has been aware of the Adups and other applications on our BLU devices which were deemed at the time by BLU, Amazon, and Kryptowire to pose no further security or privacy risk. Now almost a year later, the devices are still behaving in the same exact way, with standard and basic data collection that pose no security or privacy risk. There has been absolutely no new behavior or change in any of our devices to trigger any concern. We expect Amazon to understand this, and quickly reinstate our devices for sale.