Beware: These Android phones sent texts, other sensitive data to a server in China

Have an unlocked Blu phone? Then read this

We like to think our text messages and other information stored on our cell phones are "For Our Eyes Only," but unfortunately, that's not always the case. 

That couldn't be more true today as it was discovered some Android devices from Blu Products, the leading provider of unlocked smartphones in the US according to eMarketer, sent full-body text messages, call logs, contact lists, and other sensitive information to a server in China. 

Mobile security firm Kryptowire made the find, noting the information was sent without users' knowledge or consent. About 120,000 of its phones were affected, Blu tells The New York Times and Adups (more on it in a few) confirmed to us.

The information was gathered and sent via a third-party Firmware Over-The-Air (FOTA) APK installed on select Blu devices, such as the R1 HD and Energy X Plus 2. Text messages and call logs were sent over every 72 hours, while other personal info was shuttled every 24. 

Though not exactly a household name, the Florida-based Blu held the largest share of the unlocked phone market in 2015 with a hearty 35.6%. Apple came in second at 12.3%. 

Its devices are sold on Amazon, Best Buy and other major online retailers. Currently, the Blu Advance 5.0 is the top-selling unlocked phone on Amazon

'Inadvertently left in'

The software at the center of the scandal is from Adups, a Chinese software firm that provides professional FOTA update services, and was designed to collect information in order to flag junk texts and calls using certain keywords and phone numbers, as well as improve the user experience.

This was done for a Chinese OEM customer, Adups tells us, and was never intended for US devices. 

The software did make it to US shores, however, as Adups explains that from approximately May 13 through October 28, when it sent its FOTA APK to Blu, it  "inadvertently left in parts of the code intended" for its Chinese customer.

When it learned of the issue, Adups says it immediately terminated the functionality. Adups assured in a statement on its website that any data gathered and sent from Blu phones was deleted. It tells us that it will no longer collect user information from Blu devices.

The firm also noted in its statement it's been working with Blu and Google to ensure the same thing doesn't happen again on updated versions of its firmware. Adups, naturally, also took the opportunity to apologize to its partners and users. 

When asked for more information on the situation, Blu directed us to a statement on its website.

What you can do

Even though Adups and Blu say the app has been updated and verified to no longer be collecting or sending users' information, you may be wary of the fix. If so, here's what you can do to see if your phone is still in the data-collecting crosshairs. 

First, check whether it's an affected model at all. Those are the R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL and Energy Diamond. 

If you have one of these devices, head to Settings in your App Drawer. Scroll down and hit "Apps" in the Settings menu. 

Once inside, select the Menu icon in the upper right-hand corner. Click "Show system", then scroll down and select "Wireless Update." 

There, you can check which Wireless Update you're running. If your phone shows 5.4.0.3.004, your device is in the clear. If it reads 5.0.x to 5.3.x, Blu asks that you contact it immediately. 

The company's customer support contact info is service@blueproducts.com and 1-877-602-8762. 

Tags

ABOUT THE AUTHOR

Michelle is TechRadar's Senior News Editor and is based in the Bay Area. Covering all things tech, Michelle is obsessed with good handsets, smart machines and self-driving cars. With an eye on every corner of the industry, Michelle aims to bring you the most useful and entertaining bits about the tech you love. Got a tip? Drop her a line!