Removed BLU's smartphone, which Amazon was reported as "sending smaho's personal information to Chinese servers without permission"

The cheap smart phone brand "BLU" is proud of the No. 1 share of SIM Fleece Maho in the United States. However, it is reported that this BLU smartphone is sending user's personal information to Chinese servers without permission, Amazon has removed items from the website as "potential security issues".

Amazon suspends sales of Blu phones due to privacy concerns - CNET
https://www.cnet.com/news/amazon-suspends-sales-of-blu-phones-due-to-privacy-concerns/


Privacy warnings spell trouble for millions of low-cost Android phone owners | Ars Technica
https://arstechnica.com/information-technology/2017/08/citing-privacy-threats-amazon-stops-selling-some-android-phones-from-blu/

At the security conference "Black Hat" which was held in Las Vegas on July 20, 2017, the security specialist companyKryptowireIsSIM Free Smartphone "BLU" boasts the top share in the USAnnounced the content that "we are sending data of the terminal to the server in China without urging the user to pay attention".

All Your SMS & Contacts BelongTo Adups & amp; Others
(PDF file)https://www.blackhat.com/docs/us-17/wednesday/us-17-Johnson-All-Your-SMS-&-Contacts-Belong-To-Adups-&-Others.pdf


BLU is manufactured by Shanghai Adups Technology in China, and personal data such as text message, contact list, call history, device-specific identification code, and activity were sent to Shanghai Adups Technology's server. And on August 2, 2017, Kryptowire released some more technical information so that other researchers could view it.

Kryptowire Provides Technical Details on Black Hat 2017 Presentation: Observed ADUPS Data Collection & Data Transmission
http://www.kryptowire.com/observed_adups_data_collection_behavior.html


The BLU terminals mentioned in the above website are "Grand M", "Life One X 2", "Advance 5.0", etc. For Grand M · Life One X 2, the ID and location of mobile phone base station, telephone number, IMEI, IMSI, Wi-Fi MAC address, terminal serial number, installed application list and its time stamp etc. It was sent to the server in China. Advance 5.0 also included vulnerabilities that could be used by third parties and potentially run code from the outside. Although it was discovered at the end of 2016, this vulnerability seems to be Kryptowire's view that it was left unmodified. According to Kryptowire, the information leakage was not limited to BLU 's terminal, but also Cubot X16S of rival company CUBOT was mentioned on the website, and personal information including browsing history was sent to China It is marked.

About this matter, the BLU spokesperson said, "BLU has regulations that seriously consider customer's privacy and security" "BLU devices do not have malware or spyware, which is inaccurate and erroneous It is a report. " To the assertion of "collecting delicate personal information", "the data being collected is about the standard functions and the basic on the report" "This is collected by smartphone manufacturers all over the world There is nothing beyond the "normal" range and it does not affect the privacy and security of the user. "

BLU responds to inaccuracies in several stories from last week regarding its devices
http://www.prnewswire.com/news-releases/blu-responds-to-inaccuracies-in-several-stories-from-last-week-regarding-its-devices-300496680.html

However, Amazon removed the BLU smartphone product page from the website. I confirmed the Japanese Amazon, and the page where BLU GRAND M · BLU GRAND X LTE was posted was deleted.

404 - Document Not Found


Amazon said, "We have recently learned about the potential security issues that are present on some of the BLU smartphones sold on Amazon.com, as customer security and privacy is of paramount importance, Until it is resolved, all models of BLU smartphones will not be available for purchase on Amazon.com, "commented CNET.

The report that the smartphone information is being sent to the Chinese server is not the beginning of this report. At the end of 2016, it includes an application that sends inexpensive personal data such as user's call history and text to Chinese servers without charge to cheap Android smartphones including BLU's "R1 HD" and "Energy X Plus 2" It was revealed. However, BLU correspondence at this time quickly, "Although it was part of the BLU Products smartphone, personal information such as text message, call history, contact information, etc. was collected unauthorizedly, but delete the application We solved the security problem "officially.

Discovery that Android-powered smartphone secretly sends user data to China - GIGAZINE


In addition, at this time, with respect to data transmission AdUps "In June 2016, when applying the Adups firmware application to some BLU Products smartphones, inadvertently withdrawing personal information from the terminal with another Adups client request "When BLU Products disputed Adups' software, we immediately deleted the software from the terminal."

Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say - NYTimes.com
https://mobile.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html

Budget Android phones are secretly sending users' text messages to China - The Verge
https://www.theverge.com/2016/11/15/13636072/budget-android-phones-blu-china-text-messages

Dan Guido, CEO of a security company Trail of Bits not involved in this case, agrees with Kryptowire's view that "BLU smartphones are threatening the privacy of users", and news In response to the interview by Ars Technica, media, "By forgetting to delete these codes and selling the terminal towards the US, BLU exposed the buyer who knows nothing under the supervision of a Chinese company It is said. Guido considers Amazon's decision to "stop selling BLU smartphones" as correct and tells us that Amazon should stop handling smartphones that are also at risk of privacy as well.