A security firm has discovered that the at least one smartphone from BLU still contains software that sends over sensitive data to servers based in China. This report comes months after the smartphone manufacturer assured consumers that it would replace the over-the-air software updating tool from the Shanghai Adups Technology. This tool was discovered to send over data every 72 hours. Now, Kryptowire has discovered that there are still devices from BLU that have Adups software installed in them. Among these devices are the BLU Grand M, a smartphone that is currently priced at around $70. Security researchers fear that there are more low-end smartphones affected by the spyware, with the security researchers discovering the same spyware in the Cubot X16S.
Months after Adups software was discovered, the China-based software team is still developing and installing software that sends data to the firm’s servers in Shanghai without alerting device owners. In order to perform its function, the spyware gains access to the devices’ command and control channel. This allows the rogue application to install applications, take screenshots and record screens, make calls, and wipe the device. Researchers over at Kryptowire also discovered that it is possible that the other rogue applications may take advantage of a vulnerability in the older versions of MTKLogger, an application installed in all MediaTek chipsets. This vulnerability allows the software to gain access to personal data like browsing history and GPS information. While there are no reports yet of software that has exploited the application’s vulnerability, the risk is still present unless the manufacturer updates the device.
The ability of pre-installed spyware to access personal data raises concerns about the sincerity of smartphone manufacturers in protecting the privacy of its customers. In BLU’s case, this is not the first time they are involved in this controversy. BLU had promised that it would remove the offending software from Adups technology and replace it with Google-approved alternatives last December, but it seems that this wasn’t the case for all its devices. If the previous incident was any precedent, it is likely the BLU will release another update that will remove the spyware soon.
Update: July 31st
BLU has reached out while also putting out a press release assuring that none of its phones have been breached or pose any sort of risk to the security and privacy of its users, while also stating that none of its phones contain any spyware or malware.