A serious, and potentially frightening, security vulnerability involving some Android smartphones came to light Tuesday.
Phones made by Blu, a U.S. company, were transmitting their owners’ personal data to a computer server in China. It’s not clear how the data was being used, though security experts say it could have been accessible by the Chinese government.
While the issue was discovered in phones sold by Blu, it could affect models from other manufacturers, and potentially millions of phones worldwide that all use software supplied by the same company, Shanghai Adups Technology Co.
The news story will evolve in the days ahead, but here’s what you need to know now if you have—or might have—an affected phone.
How was this problem uncovered?
Essentially, a researcher at a security firm called Kryptowire, located outside of Washington D.C, wanted an inexpensive work phone for an overseas trip, and purchased a Blu R1 HD. Without expecting to find a problem, he and his colleagues experimented with the phone, looking at what kind of data it was transmitting, and where that data was going.
The researchers soon realized that something was amiss.
“We thought a lot of data on the phone was being accessed,” says Azzedine Benameur, the company’s director of research.
They traced the data collection to firmware, a type of software central to the operation of the phone, that had been written by Adups, the Chinese company. The Adups website says it supplies firmware to phone makers that include Blu and two of the world’s biggest phone makers, ZTE and Huawei, which both sell phones in the United States. Those companies did not respond to a request for information
What exactly does an affected Blu phone do?
The phone makes an encrypted copy of your text messages, including metadata such as the phone numbers you’re communicating with. Then, every 72 hours it uploads the data to a server in China.
Kryptowire discovered that the firmware can be set to sift through text messages for specific phone numbers, names, or other key words, capturing and transmitting only that information. The researchers say their phone wasn’t picking out specific text messages when they examined it.
How can I tell if my phone is running this firmware?
Only phones running a version of the Android operating system are involved; that means iPhone users don’t have to be concerned.
Blu says that six of its models were affected—the R1 HD, the Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond. These are all low-priced phones—the R1 HD, the phone used by Kryptowire, sells for just $50, while the Energy X Plus 2 costs about $100. But the company isn’t providing information such as a serial number or date of manufacture that could help consumers determine if their own phone has the problem firmware installed.
Consumer Reports contacted a number of other smartphone makers to see if their phones were affected.
Google, which makes the Android operating system, says that its Nexus and Pixel phones did not carry the Adups firmware, but that it couldn’t provide information on other Android phones. “Lots of Android activity is opaque to us,” a spokesman says. “As you know, Android is open-source and anyone can use it.”
Other phone makers that responded to our inquiry, including OnePlus, HTC, and LG, said they were still investigating to determine whether any of their phone models were affected.
According to Kryptowire researchers, there’s no way for most consumers to determine if the Adups firmware is running on their phone. The company’s investigation involved setting up a “man in the middle” attack to intercept data flowing off the phone before it was transmitted over the internet.
Okay, I have a problem phone. Now what?
Blu says it has already fixed the problem with an update to phones in the hands of consumers. However, the company has not responded to inquiries asking how consumers can confirm that the issue has been resolved on their phones.
Assuming the phones have been fixed, that won’t erase any personal data from Adups’ servers. Nor is it clear how the information might be used.
Dan Guido, CEO of the cybersecurity firm Trail of Bits, speculates that the some personal data could end up in government hands: “You might be in a rude awakening if you go through customs at a Chinese airport,” he says. “From the Chinese censors’ point of view, this is not a bug. It’s a feature.”
Wherever the data ends up, some security researchers suggest that the Adups program likely started as an exercise in marketing.
“It does seem pretty egregious to collect this kind of information,” says Jason Hong, an associate professor of computer science at Carnegie Mellon. “There could be a lot of malicious things being done. On the other hand, we’ve also seen a lot of these advertising networks that just try to get as much information about you so that they can do better ads. So without more information, it’s really hard to say for sure.”
Should I avoid buying a new Blu phone?
Blu phones aren’t sold directly by the major phone carriers, but are instead available from retailers such as Amazon, which is where Kryptowire purchased its phone. Amazon has a 30-day return policy for phones, but says it will extend the policy in this situation.
An Amazon spokeswoman, Robin Handaly, told us that when the problem was discovered, “all impacted phone models were immediately made unavailable for purchase on Amazon.com,” though other Blu phones were still available. “Now that the issue has been resolved, we’re working to make these phones available to Amazon.com customers again.”
What phone should I buy?
You can start by checking Consumer Reports ratings. (We tested the Blu Vivo 5, which is not listed among the affected models. It earned a respectable score for a budget phone, but missed CR’s Recommended phone benchmark.)-Foxnews