BLU phones still send all of your data to Chinese servers [UPDATE]

Update: On July 31, Amazon decided on stopping sales of all BLU phones based on security concerns, just days after this report was filed.

Shanghai Adups continues to provide firmware to US phones seller BLU that can and does collect all sorts of data from your phone, security firm Kryptowire reports.

The controversy was first sparked last last year and prompted BLU to reportedly switch to Google-vended software updates and accuse its previous vendor of a breach in good faith while Shanghai Adups proclaimed innocence, saying that the issues “are not existing anymore.”

This time around, researcher Ryan Johnson claims that the firmware on three BLU models — including the Grand M and top-selling Advance 5.0 — allows Adups to take background control of the device. The processes are better concealed nowadays, but they are still there.

Apps can be installed out of thin air, screenshots and video capture can happen at random and factory resets could, too. All of this can be done while the user is none the wiser either during the process or at all. Plus, data such as IMEI, MAC address, your phone number and other identifiers gets sent to Shanghai Adups servers, too.

GPS coordinates aren’t covered, but network-approximated location is.

“It can generally locate a person, presuming they’re in an urban area,” Johnson said at the Black Hat conference in Las Vegas this week.

All these actions could be done on not just BLU phones, Johnson claims, but other low-cost phones from competitors as the devices run on MediaTek chipsets. They come with a companion app, “MTKLogger,” that’s susceptible to unsolicited privilege escalation — meaning that hackers can also take control of your phone if they please. Phones valued above $300 generally don’t have this firmware, meaning that people with vulnerable income are more likely to be affected to this “pretty widespread” problem.

Shanghai Adups claims that it deletes the data it receives, but there’s no telling what happens with the data between reception and deletion.

Discuss This Post

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Jules Wang
Jules Wang is News Editor for Pocketnow and one of the hosts of the Pocketnow Weekly Podcast. He came onto the team in 2014 as an intern editing and producing videos and the podcast while he was studying journalism at Emerson College. He graduated the year after and entered into his current position at Pocketnow, full-time.