Update #3, August 3: BLU has now responded to Kryptowire’s newly released statement regarding the technical details on the Black Hat 2017 presentation. BLU has assured us that the behavior of the devices mentioned in the statement is in line with what the company has already stated in its press release, which can be found below.
Update #2, July 31: After a brief update over the weekend, BLU has now issued a full press release regarding allegations that its phones have been sharing personal user data. Read it below.
July 31st 2017 – Miami FL. – BLU Products responds to inaccuracies reported by several news outlets making clear that there is absolutely no spyware or malware or secret software on BLU devices, these are inaccurate and false reports. These false reports need to be corrected by reporters who distorted the facts in several news stories last week. BLU is reaching out to several reporters to correct their articles and issue apologies, which BLU has started receiving.
The original report by Kryptowire issued on November 2016 regarding the Adups OTA application, stated a small fraction of BLU phones had a version of the application which was collecting phonebook contacts and texts messages. Since BLU was unaware of this collection we hadn’t notified customers, thus it was deemed as a potential privacy issue. BLU moved quickly and resolved the problem by having Adups turn off this functionality.
Furthermore, BLU decided to switch the Adups OTA application on future devices with Google’s GOTA. Even though it is BLU’s policy to only use GOTA moving forward, some older devices still use ADUPS OTA.
Using ADUPS OTA is not an issue here. ADUPS is a well-known application used by several device manufacturers around the world. The issue is exactly what kind of data is actually being collected by this ADUPS application, and does it present a security or privacy risk.
BLU has several policies in place which takes customer privacy and security very seriously, and confirms that there has been no breech or issue of any kind with any of its devices.
Update #1, July 29, 14:02 ET: Following the recent allegations that BLU smartphones have been secretly sharing private user data, a BLU spokesperson has contacted us to clear up some issues with the story. BLU is preparing a full statement regarding the matter currently, which we will provide when we receive it, but the company has denied any privacy issues with its recent phones.
“The data that is being collected is data that is needed to implement OTA functionally and basic reporting on market activation information, which is in line with every other mobile phone in the world collects. There is nothing out of the ordinary that is being collected,” wrote the spokesperson in an email.
Further, we have been made aware that Tom Karygiannis, the VP of Product at Kryptowire — the company that originally broke the story — has also now confirmed that there are no issues with BLU’s devices.
Original coverage: US company BLU Products was at the heart of a smartphone scandal last year after it was discovered that its devices were leaking personal user data to China. A third-party app installed on the phones had been secretly transmitting user information from a reported 120,000 phones.
BLU subsequently acknowledged to the unauthorized data collection and transmission, and confirmed that the offending app had been updated to remove that functionality.
According to researchers at security company Kryptowire, however, at least three BLU devices are still distributing private data without notifying users.
The news arrives from the Black Hat security conference (via CNET) which took place in Las Vegas on Wednesday. There, Kryptowire’s researchers revealed that Chinese firm Shanghai Adups Technology Company is once again at the heart of the issue.
This is the developer of the MTKLogger app that comes pre-installed on a number of BLU’s MediaTek powered handsets. The app is said to include software that tracks calls, text messages, GPS location, contact lists and more, but also has the potential to provide access to the command and control channel. This would allow Adups to “execute commands as if it’s the user,” says CNET, “meaning it could also install apps, take screenshots, record the screen, make calls and wipe devices without needing permission.”
Evidence of private user data distribution was allegedly found on the BLU Advance 5.0 — currently the second biggest selling handset on Amazon.
This issue would not only raise concerns over buying cheap phones (the BLU Advance 5.0 costs $60) but also highlight failings in Google’s own security systems. While its Verified Apps procedure is designed to weed out dangerous apps, this exploitation has twice been discovered first by a third-party source (both times Kryptowire).
When this spyware was first unearthed, Samuel Ohev-Zion, the BLU CEO, said it was “obviously something that [BLU was] not aware of.” Since it is now aware — what has it got to say this time?
We’ve reached out to BLU for comment regarding this news and will update this article should we receive a response. In the meantime, you might want to hold off on picking one up.