BLU phones sent data about calls and texts to Chinese servers [UPDATE]
The problem with being a quasi-OEM that’s reliant on Chinese sources for hardware and software is that a lot can get under your nose before you have a chance to catch it. Sometimes, what passes through can be exposed as a huge problem and a risk of damage to your reputation. Such is the case for Miami-based company BLU.
According to security firm Kryptowire, select smartphone models from the budget phone seller were embedded with software provided by Shanghai Adups, a Chinese vendor. The firmware on phones such as the BLU R1 HD (pictured right) allowed the manufacturer to essentially mine every bit of “text messages, contact lists, call history with full telephone numbers, unique device identifiers including the [IMSI and IMEI].” It’s reported that this data was mined from every phone with the firmware installed and sent back to Adups servers in China every three days.
Manufacturers could remotely install apps onto their customers’ phones and even pick up on their specific locations. All of this information is intended to better inform the manufacturer about consumer habits and trends — for example, content scanning and telephone number read-outs are necessary in order to implement junk call and text screening, the company claims.
The most troublesome aspect about this firmware is that this feature, the specificity of its abilities and the manufacturers’ rights to obtain and use the data were not mentioned in any legal disclosure to consumers. The potential that the lives of mobile phone users could be monitored unawares to them seems to hang lower and lower upon our heads these days.
Shanghai Adups actually offers all the features of this firmware in the name of its business. While Google prohibits the use of such software in Android phones with Google Play Services, most of Adups’s contractors are from China (where Google Play Services can’t exist because of government censorship) and include ZTE and Huawei. Adups claims over 700 million active users of its firmware across mobile, automotive and other enabled platforms. In fact, the firmware that the BLU phones got was actually originally created for another Chinese manufacturer that requested the mining.
Adups responded to inquiries on the BLU matter by the media, including The New York Times, by stating that the junk screening feature was “inadvertently included” into some BLU phones and that it has worked with the company and Google to disable, delete and prevent the proliferation of the firmware. Any data collected from the phones was destroyed. For its part, BLU CEO Samuel Ohev Zion affirmed that the actions were taken.
“Today there is no BLU device that is collecting that information,” Ohev-Zion said to the Times.
- Read more: Shanghai Adups’s full statement
It was one of Kryptowire’s researchers who bought a BLU R1 HD as a travel phone and noticed suspicious data transmissions to a server in Shanghai that triggered the firm’s investigation. The company is a contractor of the Department of Homeland Security, but worked the case on its own initiative.
Update: The US division of ZTE, a company listed by Shanghai Adups as one of its major customers for its firmware, has issued a statement:
“We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.” ZTE USA