Chinese spyware on BLU smartphones claimed to be a "mistake"

By JC Torres/Nov. 16, 2016 3:00 am EST

BLU Products is a US-based smartphone maker known for selling low to mid range unlocked smartphones at dirt cheap prices. Almost like Xiaomi, but without the impressive sales numbers. But what buyers, and even BLU itself, didn't know is that the low price may have come at the cost of privacy. Security firm Kryptowire has just revealed that a small piece of code hidden deep inside some of BLU's smartphones was actually private user data, not to some US company, but to an undisclosed OEM in China.

People familiar with concerns over the Chinese spying activities may have just felt a chill down their spines, but it might be a bit too early to jump to conclusions just yet. And if the AdUps Technologies, the Shanghai-based company behind that piece of software, is to be believed, it was just a case of "a private company that made a mistake". Adups doesn't deny that it does have code that has a backdoor to user data. It claims, however, that the code was there at the behest of an unnamed Chinese device manufacturer for the sake of helping improve spam filters and such. It was never meant to be used outside China, much less installed in US smartphones.

AdUps provides firmware that it claims is used in around 700 million phones, cars, and related devices. On BLU's side, it is used specifically in models such as the R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond, amounting to around 12,000 units. CEO Samuel Ohev-Zion says that they were also caught off-guard by the revelation and moved quickly to rollout an update that removes the problematic software. At this point, however, it isn't known what other devices are affected from other manufacturers.

Complicating the matter is that AdUps' spyware is totally hidden from sight. There are no warnings to users or telltale signs that their data, which includes contacts, messages, and call logs, are being harvested and sent to China. The discovery of the activity was serendipitous and would have probably remained unchecked otherwise. AdUps insists that it is phone manufacturers and service providers that are legally required to disclose such activities, not the one that writes the software for it.

Of course, the situation isn't as simple as that and the US government unsurprisingly wants to take a deeper look. It has yet to determine whether it is indeed just a simple case of data mining gone wrong or a subtle tactic at espionage. AdUps naturally claims it is not affiliated with the Chinese government.

SOURCE: New York Times, BLU Products