It seems that multiple budget and value-for-money smartphones in the US are transmitting confidential user data to servers managed by a China-based software company. This information has now surfaced via online security firm Kryptowire, which has stated that information including contact lists of users have leaked out.
In its official press release, Kryptowire stated that devices purchased from popular US e-tailers have fallen prey to the latest threat and have been found to be transmitting personal user data without consent. As far as victim smartphone brands are concerned, the full list of these handsets is yet to surface, but the BLU R1 HD smartphone that falls into the category of value-for-money devices finds a mention within Kryptowire's latest release.
As of now, the BLU R1 HD (8GB Black edition) is unavailable on Amazon US. The e-talier also expresses ignorance with respect to the arrival of newer stocks of the smartphone. As far as its price-tag is concerned, the BLU R1 HD is generally priced at $50 and is an exclusive to Amazon in the States.
Also, the data breach took place via a Firmware-over-the-air (FOTA) update mechanism managed by the China-based Shanghai Adups Technology. At this juncture, it is worth noting that Adups claims to have offices outside of China as well; in geographies such as Tokyo, Miami and New Delhi.
Folks at Kryptowire stated that they evaluated the Personally Identifiable Information (PII) collected and transmitted encrypted to servers located in Shanghai, China.
"Some transmitted the body of the user's text messages and call logs to a server in located in Shanghai. All of the data collection and transmission capabilities we identified were supported by two system applications that cannot be disabled by the end user," stated engineers at Kryptowire.
As far as the exact nature of data transmitted is concerned, Kryptowire identified that information such as contact lists, text messages, call history logs, along with the IMEI number were transmitted to Adups servers. Reasons quoted for this was a defective firmware that reportedly installed apps without obtaining explicit consent thereby opening backdoors.
"The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices," adds Kryptowire.
Finally, Kryptowire has reportedly intimated the above findings to companies such as Google, Amazon, BLU Products and Adups as well. Now, an update or patch from BLU's end is highly expected by users.