‘Made in China’ smartphone spies on users, researchers found

The Android-based BLU device, which uses firmware from the Chinese company Shanghai ADUPS Technology, relays information about received and made calls, contact lists, as well as text messages to a China-based server.

The vulnerability has been discovered by Virginia-based cyber-security company Kryptowire, which said the devices can also be reprogrammed remotely and receive commands.

“The firmware could target specific users and text messages matching remotely defined keywords,” Kryptowire said in a statement. “The firmware also collected and transmitted information about the use of applications installed on the monitored device and bypassed the Android permission model.”

The affected BLU R1 HD smartphone sells via Amazon and other online retailers and targets low-income users in the USA, China and western Europe. The firmware it uses receives automatic updates from the maker. The covert transmission of personal data is taking place periodically every 72 hours for text messages and call logs and every 24 hours for other personally identifiable information. The user has no ability to switch off the eavesdropping.

“The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai,” Kryptowire said. “This software and behaviour bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.”

Shanghai ADUPS Technology reacted to the allegations saying the firmware’s functionalities had been designed to help screen out junk calls and texts. It denied any malicious intent and said the functionality has since been disabled.