Those who have been usingAndroid since the early days know how much the security situation has improved. But it’s still far from perfect. So many companies are making and selling phones, that staggering security mistakes continue to occur from time to time. The latest scare comes by way of BLU, which partnered with Amazon to launch a $50 smartphone a few months ago. The problem: that smartphone had a rather large security hole that sent user data to a server in China. Oops.
A lot of the Android security threats that get reported are retold in breathless fashion, as if your phone is literally overflowing with hackers. This time it’s definitely a legitimate concern, and BLU needs to explain how it allowed this to happen. Although, it’s not as bad as it sounds at first.
The rogue software loaded on BLU phones was only uncovered because a security researcher from Kryptowire purchased the exceptionally cheap BLU R1 HD for an international trip. However, he noticed some unusual network traffic when he turned it on. Upon further inspection, he realized the device was transmitting substantial data to a Chinese server.
The culprit turns out to be a pre-installed service from one of BLU’s partners called Adups. This Shanghai-based startup that acts as a third-party distributor of OTA updates. So, rather than managing their own update server, BLU has Adups push updates to devices. Adups claims over 700 million active users, though virtually none of them know they are Adups users.
According to Kryptowire, Adups was collecting far more information from the device than it needed to manage OTA updates. The Chinese server was getting lists of apps used, device location data, SMS messages, and more. Even worse, these were tied to device IMEI identifiers and phone numbers. Because this is a device OTA service, it has rather extensive access to the system. It’s able to do things like remotely install apps without user knowledge. So, it’s supposed to be on the phone ― it’s not technically malware ― but it was configured incorrectly.
The good news is this does sound like a legitimate error and not an intentional attack. Adups says it did not intend to collect the detailed user data, and it was never used for anything by Adups. BLU says a firmware update has been developed that disables the excessive data collection. As long as you accept OTA updates on the phone, your data will no longer be transmitted without your knowledge.