You might be wrong to assume that when you buy a shiny new Android phone that there's nothing malicious on it.
Researchers at Kryptowire claim that several Android smartphones sold through major retailers like BestBuy and Amazon have firmware pre-installed on them which transmits sensitive information to third-party servers in China, without the owner's knowledge or consent.
Affected handsets include the BLU R1 HD, which ships with firmware developers by Shanghai Adups Technology Co. Ltd. Selling for about $60 on Amazon, the unlocked BLU R1 HD Android smartphone is unsurprisingly a big seller.
However, the researchers discovered that personal information was being collected by Adups software every 24 hours from the phones and transmitted in encrypted form to servers in Shanghai. Furthermore, some phones were transmitting call logs and the content of text messages every 72 hours.
The data collection could not be disabled by the end user.
BLU has responded to Kryptowire's advisory by publishing its own security notice to customers:
BLU Products has identified and has quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices.
Our customer’s privacy and security are of the upmost importance and priority.
The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.
BLU's advisory says that its R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond models are impacted and goes on to describe how handset owners can confirm if their device is affected or not.
Even if BLU has resolved the issue, it doesn't seem to have apologised to affected users or done anything to explain just why its phones were collecting sensitive personal information about its customers and their communications.