Most cell-phone-using Americans might not be familiar with BLU, a Miami-based tech company that makes budget-level Android phones and sells them at markedly cheap prices. But the Federal Trade Commission (FTC) alleges some third-party Chinese data-collection agencies knew BLU well. The company was secretly selling phones infected with spyware that sent users' cell-tower location data, call- and
The scandal, which has been rocking tech communities for months but has largely gone unnoticed in the local media, came to a head this
"Mobile phone manufacturer BLU Products, Inc. and its co-owner have reached a settlement with the Federal Trade Commission over allegations that the company allowed a China-based third-party service provider to collect detailed personal information about consumers, such as text message contents and real-time location information, without their knowledge or consent despite promises by the company that it would keep such information secure and private," the FTC announced Monday. "As part of the settlement, BLU must implement a comprehensive data security program to help prevent unauthorized access
BLU Products, which is headquartered on NW 33rd Street in Doral, was founded by a Miami native and Marine and Science Technology High School (MAST) graduate, Samuel Ohev-Zion, who is 39 years old. According to the Miami Herald, Ohev-Zion was arrested in 2003 for drag-racing at more than 100 mph across the Rickenbacker Causeway and subsequently fleeing the scene of a crash in which five people had allegedly been hurt. Court records show the charges were dropped after he completed a
BLU products
As of 2013, BLU became one of the fastest-growing phone companies across Latin America, selling 4.1 million units in 2013. The Verge, a tech news outlet, questioned whether the then-fledgeling company in 2013 could one day "beat Samsung."
That so far has not happened, because apparently giving up your user-data was part of that insanely cheap price point: News first broke about the Adups spyware in November 2016, after a mobile-security firm named
Kryptowire warned that BLU's phones were basically sending the aforementioned call, location, and text data from users to a server in Shanghai every 72 hours. Kryptowire singled out the BLU R1 HD smartphone as a particular example. The spyware basically let Adupts act as the phone's "user" — according to CNET, this meant the Chinese company remotely take screenshots, make calls, or record the screen. In September 2016, Adups said its technology was in 700 million different phones worldwide.
In response, Amazon temporarily stopped selling some BLU phones, and BLU in December 2016 pledged to replace the Adups software with programs from Google.
But Kryptowire then gave a barn-burning presentation at the 2017 Black Hat conference, an annual computer-security gathering in Las Vegas, warning that Adups had not so much "fixed" its data-leakage problem as made the spyware harder to locate, and that some BLU phones were still secretly transmitting data overseas. BLU always maintained that the Adups programs were not "spyware" and that its terms-of-service agreements warned users that some of their data might be stored in overseas servers, adding in a 2017 press release that "there is absolutely nothing wrong with having a server in China."
Instead, Amazon temporarily pulled BLU's phones from its website again in August 2017, one week after the Black Hat conference. And, last month, the FTC then hit BLU with a formal "deceptive practices" complaint alleging that the company had misled users into believing that the company was collecting only routine, necessary data, and that it the company had falsely told consumers they had implemented new privacy procedures to protect their data.
"As a result, ADUPS collected sensitive personal information via BLU devices without consumers’ knowledge and consent that it did not need to perform its contracted services," the FTC said in a press release Monday. "In addition, ADUPS software preinstalled on BLU devices contained common security vulnerabilities that could enable attackers to gain full access to the devices."
