What you need to know about the phones secretly sending data to China

A serious, and potentially frightening, security vulnerability involving some Android smartphones came to light Tuesday.

Phones made by Blu, a U.S. company, were transmitting their owners' personal data to a computer server in China owned by Shanghai Adups Technology Co., which supplies software to mobile device makers.
Initially, it was unclear how the data was being used, though security experts feared it could have been accessible by the Chinese government.

More From Consumer Reports

Now, however, Adups has issued an apology, saying that the data was collected in error and has been deleted.

Here’s what you need to know now if you suspect you have an affected phone.

How Was This Problem Uncovered?

Essentially, a researcher at a security firm called Kryptowire, located outside of Washington D.C, wanted an inexpensive work phone for an overseas trip, and purchased a Blu R1 HD. Without expecting to find a problem, he and his colleagues experimented with the phone, looking at what kind of data it was transmitting, and where that data was going.

The researchers soon realized that something was amiss.

“We thought a lot of data on the phone was being accessed,” said Azzedine Benameur, the company’s director of research.
They traced the data collection to firmware, a type of software central to the operation of the phone, that had been written by Adups, the Chinese company.

The researchers said they shared their findings with Blu on Oct. 21, but initially didn't get a response. The researchers also disclosed the information to Amazon, a primary seller of Blu phones, on Oct. 26, and with Google, which makes the Android operating system, on Oct. 29. Kryptowire has since been in contact with Blu, according to Benameur.

What Exactly Did an Affected Blu Phone Do?

The phone made an encrypted record of several kinds of phone data, and every 72 hours it uploaded the data to a server in China registered to Adups. The data included text messages, phone call histories, and details of how the phone was being used. For instance, Benameur said, "They can tell you launched Facebook for 10 minutes and then switched to Google Maps, and so on."

Kryptowire discovered that the firmware can be set to sift through the data for specific phone numbers, names, or other key words, capturing and transmitting only that information. The researchers say their phone wasn’t picking out specific text messages when they examined it.

How Can I Tell If My Phone Was Running This Firmware?

Only phones running a version of the Android operating system were involved; that means iPhone users don’t have to be concerned.

Blu said that six of its models were affected—the R1 HD, the Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond. These are all low-priced phones—the R1 HD, the phone used by Kryptowire, sells for just $50, while the Energy X Plus 2 costs about $100. But the company didn't provide information such as a serial number or date of manufacture that could help consumers determine if their own phone had the problem firmware installed.

Consumer Reports contacted a number of other smartphone makers to see if their phones were affected.

Google said that its Nexus and Pixel phones did not carry the Adups firmware, but that it couldn’t provide information on other Android phones. “Lots of Android activity is opaque to us,” a spokesman said. “As you know, Android is open-source and anyone can use it.”

Huawei and ZTE, two large phone makers based in China, said their phones were not involved. “We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not," a ZTE statement read. Hauwei issued a similar statement: "The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them."

LG also said that its phones had not been affected, while OnePlus and HTC representatives said that they were investigating the issue.

According to Kryptowire researchers, there was no way for most consumers to determine if the Adups firmware was running on their phone. The company's investigation involved setting up a “man in the middle” attack to intercept data flowing off the phone before it was transmitted over the internet.

How Was the Problem Fixed?

On Tuesday night, Blu said the problem had been fixed, but it didn't supply details. Benameur said that Blu "contacted their supplier, Adups, who in turn turned off the data collection. As of today [Tuesday], we do not observe data collection on the BLU R1 HD."

The statement Adups released Wednesday said, "Adups updated applications for Blu phones, and those phones have passed the Kryptowire test. Adups also confirmed that no information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information" has been deleted.

This incident highlights concerns about privacy intrusions by technology companies that most consumers have never heard of. Dan Guido, CEO of the cybersecurity firm Trail of Bits, initially speculated that the some personal data could end up in government hands: “You might be in a rude awakening if you go through customs at a Chinese airport,” he said on Tuesday. “From the Chinese censors’ point of view, this is not a bug. It’s a feature.”

Other security researchers suggested that the Adups program fit into a pattern of widespread data collection.

“It does seem pretty egregious to collect this kind of information," Jason Hong, an associate professor of computer science at Carnegie Mellon, told Consumer Reports on Tuesday. "There could be a lot of malicious things being done. On the other hand, we’ve also seen a lot of these advertising networks that just try to get as much information about you so that they can do better ads.”

Should I Avoid Buying a New Blu Phone?

Blu phones aren’t sold directly by the major phone carriers, but are instead available from retailers such as Amazon, which is where Kryptowire purchased its phone. Amazon has a 30-day return policy for phones, but said it will extend the policy in this situation.

An Amazon spokeswoman, Robin Handaly, told us that when the problem was discovered “all impacted phone models were immediately made unavailable for purchase on Amazon.com,” though other Blu phones were still available. “Now that the issue has been resolved, we’re working to make these phones available to Amazon.com customers again.”

What Phone Should I Buy?

You can start by checking Consumer Reports ratings. (We tested the Blu Vivo 5, which is not listed among the affected models. It earned a respectable score for a budget phone, but missed CR's Recommended phone benchmark.)

Editor's Note: This article has been updated to reflect statements by Adups and several phone makers, and new information from Kryptowire on its research into this issue.

Copyright © 2005-2016 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.