[alert variation=”alert-warning”]Update: On July 31, Amazon decided on stopping sales of all BLU phones based on security concerns, just days after this report was filed.[/alert]

Shanghai Adups continues to provide firmware to US phones seller BLU that can and does collect all sorts of data from your phone, security firm Kryptowire reports.

The controversy was first sparked last last year and prompted BLU to reportedly switch to Google-vended software updates and accuse its previous vendor of a breach in good faith while Shanghai Adups proclaimed innocence, saying that the issues “are not existing anymore.”

This time around, researcher Ryan Johnson claims that the firmware on three BLU models — including the Grand M and top-selling Advance 5.0 — allows Adups to take background control of the device. The processes are better concealed nowadays, but they are still there.

Apps can be installed out of thin air, screenshots and video capture can happen at random and factory resets could, too. All of this can be done while the user is none the wiser either during the process or at all. Plus, data such as IMEI, MAC address, your phone number and other identifiers gets sent to Shanghai Adups servers, too.

GPS coordinates aren’t covered, but network-approximated location is.

“It can generally locate a person, presuming they’re in an urban area,” Johnson said at the Black Hat conference in Las Vegas this week.

All these actions could be done on not just BLU phones, Johnson claims, but other low-cost phones from competitors as the devices run on MediaTek chipsets. They come with a companion app, “MTKLogger,” that’s susceptible to unsolicited privilege escalation — meaning that hackers can also take control of your phone if they please. Phones valued above $300 generally don’t have this firmware, meaning that people with vulnerable income are more likely to be affected to this “pretty widespread” problem.

Shanghai Adups claims that it deletes the data it receives, but there’s no telling what happens with the data between reception and deletion.

You May Also Like

Possible codenames and processors of Google Pixel 4a devices have emerged

We have the possible codenames and processors that may arrive in the upcoming Google Pixel 4a series, and maybe more Pixel devices

Samsung Galaxy S20 Ultra to arrive with a 40MP selfie camera?

Samsung Galaxy S20 Ultra may get the largest sensor ever found in a selfie camera, and 10x zoom capabilities in the S20 and S20+ is questionable

Facebook has stopped plans to insert ads into WhatsApp, for now

According to a new report, Facebook plans for integrating ads into WhatsApp may be on hold, at least for a while