Budget Android smartphones from the likes of Chinese manufacturer, Blu, might be an affordable proposition but they’re hugely lacking on the privacy front. As has been uncovered by Security firm Kryptowire, several models of these low-cost Android smartphones, sold even in the U.S, had a backdoor in the firmware installed on them.
Privacy is of grave importance to all users in today’s internet age but this backdoor enabled the company to collect sensitive personal data and transmit it to third-party servers in China. And as one expects, the users were completely aloof to the situation and data including text messages, call logs, contacts, app usage data, IMEI number and even their location were being transmitted by their smartphones.
The security firm detected the presence of this firmware along with the backdoor on several Blu smartphones, including the BLU R1 HD. This is one of the most popular sub-50 dollar smartphone which is available for purchase through major US-based online retailers such as Amazon or Best Buy.
The firmware on these budget Android offerings could also target specific users and text messages matching remotely defined keywords, reports Kryptowire. But that’s not all. Since the phones under question were connected to a third-party server, therefore they were easy targets for remote code executions with escalated privileges. This means that a person with access to your collected data could bypass your Android privileges and remotely install any specific app or reprogram the device.
The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users’ consent and, in some versions of the software, the transmission of fine-grained device location information,
details Kryptowire in its official findings.
But the biggest question is — who planted this backdoor in these budget Android smartphones? Well, the security firm traced the personal data transmissions to its source and discovered that monitoring activities were being conducted using the commercial Firmware Over The Air (FOTA) update software system. In Blu’s case, the updates are delivered by a company named Shanghai Adups Technology Co. Ltd and the data collected was encrypted and then transmitted over secure web protocols to a server located in Shanghai.
Adups is recognized as one of the prominent FOTA support providers and boasts of having an active user base of 700 million and a market share of over 70 percent across 150 countries. The company is said to produce firmware programs integrated with devices of more than 400 technology giants, including the likes of Huawei and ZTE. This firmware which was packed in Blu
This firmware which was packed in Blu smartphones affected more than 120,000 smartphones in the States. Commenting on the issue, Samuel Ohev-Zion, the chief executive of BLU Products, said,
It was obviously something that we were not aware of. We moved very quickly to correct it.
But, in conversation with New York Times, a lawyer representing Adups claims that the said backdoor wasn’t a bug and the company has baked the same into the firmware intentionally. This surveillance feature was built at the request of an unidentified Chinese client who wanted to use it to monitor user behavior, store call logs, and messages. He further adds that the feature was specifically intended for the Chinese markets and wasn’t supposed to be released in American markets.
The Adups lawyer has also mentioned that the company has already taken necessary action. It claims to have deleted all personal data and info collected from Blu users in the States. This incident will definitely blotch user trust and reputation of the Chinese smartphone makers who’re using update services from the said solution provider. We’ll need to wait and see how other manufacturers act and take preventive steps to protect user privacy.