Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Report: Backdoor access in the Blu R1 HD and other phones sent data to China

Derek Walter | Nov. 16, 2016
[Updated] The spyware impacted some prepaid and international models, but Blu says that a software fix has patched the privacy breach.

[Updated on 18 November 2016, 1400hrs (Singapore time), to include Huawei's media statement that Adups is not their supplier]

Some Blu smartphone owners got a hidden feature they weren’t quite expecting.

It turned out software from a Chinese company was transmitting all of their text messages and other data to China every 72 hours. The vulnerability was discovered by a Kryptowire, an American enterprise security firm. 

According to a New York Times report it wasn’t clear if the information went beyond the recipient of Shanghai Adups Technology Company, but it impacted Blu R1 HD and other phones.

On its website, Adups says it builds firmware that runs on more than 700 million phones. Kryptowire concluded that the data sharing included full contexts of text messages, call logs, contact lists, location information, and other data. There was other identifiable information like each phone’s Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).

Blu Products told The Times that 120,000 of its phones were affected, but the leak was plugged through a software update. Blu is known primarily for low cost phones, such as the Blu R1 HD which recently was part of a special offered by Amazon for $50.

Adups provides software for ZTE, although it’s unclear if the scope of the data mining effort extends to other products as well. The earlier version of this article stated that Adups also provides software for Huawei. However, Huawei has confirmed that Adups is not a supplier for its software products on its phones. In a press statement, the company said: "Huawei takes our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. [Adups] is not on our list of approved suppliers, and we have never conducted any form of business with them."

 According to the report, Adups assured Blu that all customer information had been destroyed and was not part of any intentional effort to keep the data or send to a government agency.

The purpose of saving the information, according to Adups, was to identify client junk text messages and calls. 

Kryptowire shared its findings with the U.S. government, Blu, and Google. You can check out the full report for details about what it uncovered.

Why this matters: The episode illustrates that data can often pass through many different companies as part of the process of creating a smartphone. While any crisis may have been averted here, it may give you pause about where you buy your next smartphone and which companies have hands in creating all of the software.

 

Sign up for CIO Asia eNewsletters.