Some Blu smartphone owners got a hidden feature they weren’t quite expecting.
It turned out software from a Chinese company was transmitting all of their text messages and other data to China every 72 hours. The vulnerability was discovered by a Kryptowire, an American enterprise security firm.
According to a New York Times report it wasn’t clear if the information went beyond the recipient of Shanghai Adups Technology Company, but it impacted Blu R1 HD and other phones.
On its website, Adups says it builds firmware that runs on more than 700 million phones. Kryptowire concluded that the data sharing included full contexts of text messages, call logs, contact lists, location information, and other data. There was other identifiable information like each phone’s Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).
Blu Products told The Times that 120,000 of its phones were affected, but the leak was plugged through a software update. Blu is known primarily for low cost phones, such as the Blu R1 HD which recently was part of a special offered by Amazon for $50.
The report says that Adups software was found on both ZTE and Huawei phones in China, although it’s unclear if the scope of the data mining effort extends beyond the Blu products. According to the report, Adups assured Blu that all customer information had been destroyed and was not part of any intentional effort to keep the data or send to a government agency.
The purpose of saving the information, according to Adups, was to identify client junk text messages and calls.
Kryptowire shared its findings with the U.S. government, Blu, and Google. You can check out the full report for details about what it uncovered.
Update 11/16/16 10:00am: A representative from Huawei sent us this official statement, clearing up any possible relationship with the company.
Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.
Update 11/16/16 11:00am: We received the following official statement from ZTE USA:
We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.
Why this matters: The episode illustrates that data can often pass through many different companies as part of the process of creating a smartphone. While any crisis may have been averted here, it may give you pause about where you buy your next smartphone and which companies have hands in creating all of the software.
This story, “Report: Backdoor access in the Blu R1 HD and other phones sent data to China” was originally published by Greenbot.