Amazon halts Blu phone sales over 'potential security issue'

Blu, the US brand behind a line of cheap and cheery Android smartphones, has been temporarily suspended from selling its devices on Amazon following claims that they contain spyware.

Amazon told ZDNet sister site CNET that it had suspended sales of Blu handsets due to a "potential security issue".

Security firm Kryptowire in November detailed security issues stemming from Blu devices containing a firmware-over-the-air update software from Chinese vendor Shanghai Adups Technology, which was transmitting SMS messages and other private data to a server in China.

Shortly afterwards, Blu announced it had requested Adups to disable the functionality on Blu phones and flagged it would switch to Google's own update software. Adups also said it had fixed the issue.

However, at the Black Hat security conference last week, Kryptowire demonstrated that Adups was still transmitting users' private data and featured a command-and-control server capable of installing apps, taking screenshots, recording the screen, making calls, and wiping devices without the user's permission.

Kryptowire had singled out the Blu R1 HD, which is available for $60 on Amazon, for harboring Adups software.

According to Kryptowire co-founder Ryan Johnson, Adups replaced its firmware with "nicer versions" but said further analysis in May of another Blu model found Adups was still making the same mistakes, describing it as a "huge invasion of privacy".

It was transmitting a list of apps installed, apps used, unique device identifiers, including the MAC address and IMEI number, the phone number, and cell phone tower ID.

"Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved," Amazon said in a statement to CNET.

Some Blu models are still available on Amazon at the time of writing.

The incident may have cost Blu its prominent position on Amazon's Prime Exclusive Phones program, which no longer lists the firm's devices.

Blu issued a statement saying Adups software was only on some older devices, and that new devices would use Google's OTA software.

"Blu decided to switch the Adups OTA application on future devices with Google's GOTA. Even though it is Blu's policy to only use GOTA moving forward, some older devices still use Adups OTA," it said.

It also argued that using Adups software was "not an issue", which was merely collecting information that is standard for OTA functionality and consistent with other smartphone brands.

"The issue is exactly what kind of data is actually being collected by this Adups application, and whether it presents a security or privacy risk," it said.

Read more on Android security

• Google Play Protect rolling out to Android devices for better security
• Google names 42 Android devices with users running security updates from last two months
• Android security report: Google aims to clean up 'unwanted software' in 2017
• This Android Trojan pretends to be Flash security update but downloads additional malware
• iOS and Android security: A timeline of the highlights and the lowlights (TechRepublic)
• This is the easiest way to prevent malware on your Android device (CNET)