Have you ever purchased a Blu smartphone from Amazon? If so, according to some reports, you may have inadvertently accessed spyware.
We last heard about Blu phones in November 2016, when security firm Kryptowire discovered spyware on certain unlocked budget Blu Android handsets. Sales were stopped for a month.
The news blew over, and we hadn’t heard anything about Blu’s spyware for several months. However, Amazon just announced that it was removing Blu phones from its online store – which apparently means the malicious software is still present.
The software was traced back to a Chinese company called Shanghai Adups Technology Company. Researchers at Kryptowire discovered the app was collecting user data from the Blu R1 HD phone, then silently sending that data to mysterious servers in China.
Virginia-based Kryptowire announced last week at the Las Vegas BlackHat security conference that some Blu phones still contained that spyware. Earlier this week, Amazon announced it was suspending Blu phone sales from Amazon.
The spyware was just part of the problem. Nobody wants their private data to be sent to China, but the spyware also reportedly made handsets vulnerable to remote attacks. There was also evidence the that spyware could log calls and texts.
They Replaced the Spyware with “Nicer Versions”
Last November, Blu was caught with spyware on certain devices. It appears they tried to fix the problem – but they fixed it by installing a “nicer version” of the spyware, according to Kryptowire co-founder Ryan Johnson.
Johnson claims that “nicer version” of the spyware sends crucial phone data overseas, including the apps installed on the phone, MAC addresses, IMEI, phone numbers, and cell phone tower IDs.
Blu Insists their Data Collection is Standard Practice
A Blu spokeswoman has denied any wrongdoing by the company, saying that it’s standard practice to maintain functionality of their phones. They also insist they have “several policies in place which take customer privacy and security seriously.”
In regards to the data collection, the spokeswoman claims “there is nothing out of the ordinary that is being collected, and certainly does not affect any user’s privacy or security.”
Blu explains that there’s “nothing wrong with having a server in China”, and their privacy policy clearly states that some of the collected data may be stored outside the United States.
Amazon obviously wasn’t happy with Blu’s explanation. In a statement, Amazon told CNET that they stopped selling Blu handsets because the “security and privacy of our customers are of the utmost importance.”