Shanghai Adups continues to provide firmware to US phones seller BLU that can and does collect all sorts of data from your phone, security firm Kryptowire reports.
The controversy was first sparked last last year and prompted BLU to reportedly switch to Google-vended software updates and accuse its previous vendor of a breach in good faith while Shanghai Adups proclaimed innocence, saying that the issues “are not existing anymore.”
This time around, researcher Ryan Johnson claims that the firmware on three BLU models — including the Grand M and top-selling Advance 5.0 — allows Adups to take background control of the device. The processes are better concealed nowadays, but they are still there.
Apps can be installed out of thin air, screenshots and video capture can happen at random and factory resets could, too. All of this can be done while the user is none the wiser either during the process or at all. Plus, data such as IMEI, MAC address, your phone number and other identifiers gets sent to Shanghai Adups servers, too.
GPS coordinates aren’t covered, but network-approximated location is.
“It can generally locate a person, presuming they’re in an urban area,” Johnson said at the Black Hat conference in Las Vegas this week.
All these actions could be done on not just BLU phones, Johnson claims, but other low-cost phones from competitors as the devices run on MediaTek chipsets. They come with a companion app, “MTKLogger,” that’s susceptible to unsolicited privilege escalation — meaning that hackers can also take control of your phone if they please. Phones valued above $300 generally don’t have this firmware, meaning that people with vulnerable income are more likely to be affected to this “pretty widespread” problem.
Shanghai Adups claims that it deletes the data it receives, but there’s no telling what happens with the data between reception and deletion.