On Tuesday, the online retailer said that it was suspending the sale of Blu phones because of a “potential security issue” on the company’s cheaper models. “Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” an Amazon spokesperson said in a statement.
However, on Friday, the unlocked Android devices were back on sale at Amazon after the “false alarm” was cleared up.
Hey BLU fans! After a false alarm, BLU devices are now back up for sale on Amazon. https://t.co/XKqFyEiBI0#BLU #BoldLikeUs #Amazon
— BLU Products (@BLU_Products) August 4, 2017
Blu is a key member of Amazon’s Prime Exclusive Phones program, which offered discounts on unlocked phones in exchange for ads on the lock screen.
“Since Nov 2016 when the initial privacy concern was reported by Kryptowire, which BLU quickly remedied, Amazon has been aware of the Adups and other applications on our BLU devices which were deemed at the time by BLU, Amazon, and Kryptowire to pose no further security or privacy risk,” Blu told Digital Trends. “Now almost a year later, the devices are still behaving in the same exact way, with standard and basic data collection that pose no security or privacy risk. There has been absolutely no new behavior or change in any of our devices to trigger any concern. We expect Amazon to understand this, and quickly reinstate our devices for sale.”
And it would seem that Blu’s expectations have been met.
Amazon’s initial decision came a month after security firm Kryptowire demonstrated that apps on Blu phones were recording keystrokes, call logs, browser history, and unique phone identifiers like the MAC address and IMEI. In a report published in July, Kryptowire wrote that Shanghai Adups Technology, the company behind the data-collecting apps, was funneling the data to servers in China.
Kryptowire looked at more than 20 pieces of firmware for Blu phones, all of which contained exploits stemming from faulty MediaTek code. They used privilege escalation, a technique that gives certain apps more permissions than they’d normally have, to establish a command an control channel — a communications route with unfettered access to a device’s software. By executing commands as if they were the user, Adups apps could install apps, take screenshots, record the screen, make calls, and wipe devices.
MediaTek said it resolved the issue in November, but a number of Blu phone models, including the Blu Advance 5.0, haven’t received a security patch.
Blu said that is “has several policies in place which take customer privacy and security very seriously,” and Adups called it a “mistake.” But analysts at Kryptowire claims to have detected the spying software on at least three different phones.
Ryan Johnson, a research engineer and co-founder at Kryptowire, said that in May he observed Blu’s R1 HD and Grand M sending data to China containing the phone number, cell phone tower ID, and browser bookmarks.
“[It’s] generally [enough to] locate a person, presuming they’re in an urban area,” Johnson said. “It seems pretty widespread around lower-end phones.”
In a follow-up statement provided to ZDNet, Blu said that Adups software was only on some older devices, and that new phones would use Google’s Over-The-Air software.
“Blu decided to switch the Adups OTA application on future devices with Google’s GOTA,” Blu said. “Even though it is Blu’s policy to only use GOTA moving forward, some older devices still use Adups OTA.” Any data its devices collect, Blu noted, is only “standard for OTA functionality” and “does not affect any user’s privacy or security.”
Update: Blu phones are back on Amazon
