Smartphone company Blu came under the radar after its Blu R1 HD was found to transmit personally identifiable information (PII) to servers in China via a back door. Blu was fast to react to the issue, and released a software update that apparently stopped the transfer of data. Furthermore, Amazon stopped listing the unit on its site for purchase. Now, Blu has announced that it is ending ties with third party OTA update provider Adups, and is adopting the standard Google OTA method.
Security firm Kryptowire had revealed that Adups was the reason of this non-transparent data transfer between the smartphone and Chinese servers. Blu CEO Sammy Ohev-Zion confirmed to PC Mag that future smartphones from the company will be shipped with the standard Google OTA software. "Any new model that launches from December onwards will have Google's OTA application instead of Adups," he told the publication.
Ohev-Zion said that this pertains to all Blu smartphones, not just the R1 HD. "We will not install third-party applications where we don't have the source code and don't understand the behaviour. Today, no Blu phone has this problem," Ohev-Zion pledged.
Information that was collected and transmitted included the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI) from a user's phone. In some versions of the software, it even included fine-grained location. This transfer was happening without any initiation to the customer.
Notably, even anti-virus and other security software on phones were not able to discover the threat, as they normally disregard software already bundled on the phone by the smartphone manufacturer. Adups software was used in a variety of smartphones by Chinese and other manufacturers. If you'd like to check if your smartphone is affected, look for these APK files on your smartphone - com.adups.fota and com.adups.fota.sysoper.