Own a BLU(+more) Products phone? Congrats, you have a backdoor that was sending all info to China!

[Elixer]

http://arstechnica.com/security/201...-backdoor-on-hundreds-of-thousands-of-phones/

Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used.

Basically, they have all your information, and all your message you ever read/sent.

These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices... The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information.

 

[Crono]

Oh goody. Hope this means we can sue the crap out of them. They are an American company, but they just rebranded Chinese phones for the Americas... probably without due diligence in checking the firmware for tools intended to collect data from Chinese users for ads and marketing.

 

[Zaap]

Wow. That really sucks.

This reeaaaaly not helping the "Looks interesting.. but I dunno.. something don't smell quite right..." feeling that swirls around the cheap "flagship killer-wanna-be" phones.

Shame. I looked really hard for a BLU phone that might have made a good fill in device...but ultimately they were 'too cheap' in quality, or 'not bad, but then costly enough that it made no sense vs. an S7 of vastly obvious superiority.

News like this isn't helping the alternative makes any.

 

[luv2liv]

Only some. Looks like my vivo air lte isn't on the list. Phew

 

[Elixer]

Only some. Looks like my vivo air lte isn't on the list. Phew

How can you trust them, and more importantly, how do you know they won't force-push an update and do it again?

Seems that the only way for people to be safe these days is only purchases phones where you can root them, and install your own OS.

 

[Crono]

Only some. Looks like my vivo air lte isn't on the list. Phew

Link to list?

 

[Elixer]

Link to list?

Here is the supposed list.
They don't tell you how you can wipe the info on that server either, seems they don't care about that.

http://bluproducts.com/security/

BLU Products has identified and has quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices.

Our customer’s privacy and security are of the upmost importance and priority.

The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.

If you have any concerns or questions in regards to your BLU Smartphone, feel free to contact us directly at www.bluproducts.com/service, call us at 1-877-602-8762, or email us at service@bluproducts.com.

Affected Models

• R1 HD
• Energy X Plus 2
• Studio Touch
• Advance 4.0 L2
• Neo XL
• Energy Diamond

 

[Crono]

Here is the supposed list.

http://bluproducts.com/security/

Thanks. My Vivo XL is not on the list. Wonder if the collection was deep enough to bypass the root privacy apps and firewall I have on it (not using the phone anymore, anyway) were it affected.

 

[Elixer]

Thanks. My Vivo XL is not on the list. Wonder if the collection was deep enough to bypass the root privacy apps and firewall I have on it (not using the phone anymore, anyway) were it affected.

Well, BLU lied, they said it was a "3rd party app", but they failed to mention that the issue is the firmware that allows them to do this.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.

http://www.kryptowire.com/adups_security_analysis.html are the ones that found it first.

 

[Kazukian]

Wow. That really sucks.

This reeaaaaly not helping the "Looks interesting.. but I dunno.. something don't smell quite right..." feeling that swirls around the cheap "flagship killer-wanna-be" phones.

Shame. I looked really hard for a BLU phone that might have made a good fill in device...but ultimately they were 'too cheap' in quality, or 'not bad, but then costly enough that it made no sense vs. an S7 of vastly obvious superiority.

News like this isn't helping the alternative makes any.

This, I like disruptive stuff and prices, but I just couldn't pull the trigger on a BLU phone.

 

[Red Storm]

This is both surprising and not surprising.

 

[Elixer]

Here is a more recent list of devices that have this issue... as you can see, it isn't just BLU.

• BLU Studio G
• BLU Studio G Plus
• BLU Studio 6.0 HD
• BLU Studio X
• BLU Studio X Plus
• BLU Studio C HD
• Infinix Hot X507
• Infinix Hot 2 X510
• Infinix Zero X506
• Infinix Zero 2 X509
• DOOGEE Voyager 2 DG310
• LEAGOO Lead 5
• LEAGOO Lead 6
• LEAGOO Lead 3i
• LEAGOO Lead 2S
• LEAGOO Alfa 6
• IKU Colorful K45i
• Beeline Pro 2
• XOLO Cube 5.0

https://www.kb.cert.org/vuls/id/624539

 

[uallas5]

Well, BLU lied, they said it was a "3rd party app", but they failed to mention that the issue is the firmware that allows them to do this.

The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.

I'm not sure of a "Lie", while not an "app" this line indicates it was 3rd party, just a 3rd party component that was used for the actual firmware update. No wonder this affected other manufacturers other than Blue.

 

[Yakk]

Bet backdoor version 2.0 (who knows what hasn't been discovered yet, maybe 15.0) will be much more discrete.

 

[podspi]

Ugh, the BLU R1 HD has been hit with two of these in the last week or so.

Luckily the R1 is just my backup phone.

Performance on the R1 HD is really good though, so it makes you wonder about the bloatware on other OEMs...

 

[Rifter]

yeah im not buying a phone i cant root and install my own chosen ROM on. this is just ridiculous. I hope there is a class action lawsuit against these idiots.