Miami Cell Phone Company Agrees to Fix Huge Data-Leakage Scandal

Most cell-phone-using Americans might not be familiar with BLU, a Miami-based tech company that makes budget-level Android phones and sells them at markedly cheap prices. But the Federal Trade Commission (FTC) alleges some third-party Chinese data-collection agencies knew BLU well. The company was secretly selling phones infected with spyware that sent users' cell-tower location data, call- and text-message logs, contact lists, used applications, and even the full contents of text messages to a third-party Chinese company called Shanghai Adups Technology.

The scandal, which has been rocking tech communities for years but has largely gone unnoticed in the local media, came to a head this week after the FTC announced it had settled with BLU and was dropping its deceptive-practices complaints against the company.

"Mobile phone manufacturer BLU Products, Inc. and its co-owner have reached a settlement with the Federal Trade Commission over allegations that the company allowed a China-based third-party service provider to collect detailed personal information about consumers, such as text message contents and real-time location information, without their knowledge or consent despite promises by the company that it would keep such information secure and private," the FTC announced Monday. "As part of the settlement, BLU must implement a comprehensive data security program to help prevent unauthorized access of consumers’ personal information and address security risks related to BLU phones."

BLU Products, which is headquartered on NW 33rd Street in Doral, was founded by a Miami native and Marine and Science Technology High School (MAST) graduate, 39-year-old Samuel Ohev-Zion. According to the Miami Herald, Ohev-Zion was arrested in 2003 for drag-racing at more than 100 mph across the Rickenbacker Causeway and subsequently fleeing the scene of a crash in which five people had allegedly been hurt. Court records show the charges were dropped after he completed a pretrial diversion program.

BLU says on its website that it operates an 80,000-square-foot warehouse in South Florida and has been manufacturing phones under the BLU name since 2010. Its business model seems to just be manufacturing phones at dirt-cheap prices: While a new iPhone X might run more than $1,000, prices for "unlocked" BLU smartphones on the company's official Amazon.com page range from just $59.99 to $287.

As of 2013, BLU became one of the fastest-growing phone companies in Latin America, where it sold 4.1 million units in 2013. The Verge, a tech-news outlet, questioned whether the then-fledgling company in 2013 could one day "beat Samsung."

BLU also currently sponsors the Valencia CF pro-soccer team in Spain, one of the more popular and successful teams in the top Spanish La Liga circuit. (They've won six La Liga championships, seven Copa Del Rey titles, and twice been UEFA Champions League runners-up.) BLU's name is currently emblazoned across the team's jersey kits and all over their 49,500-seat stadium. The sponsorship deal began in 2017, after the data-privacy scandal had already broken.

"To our new friends from BLU, I would like to say to them that I am sure that they will find this partnership very beneficial, and we hope to take off together this season and fly very high together," club President Anil Murthy announced last year. "Valencia CF must be better by the day, and allying ourselves with a cutting edge company who are innovative and ambitious is going to help us to make that happen."

solidez y equilibrio

El @valenciacf Ataca y defiende como un colectivo
Todos reman https://t.co/XdPn1pVhPr

— Valencia CF (@valenciacf) May 2, 2018

News broke about the Adups spyware in November 2016 after the mobile-security firm Kryptowire warned that multiple companies hawking cheap Android phones were selling millions of products that came loaded with spyware that leaked information to Adups.

Kryptowire warned that BLU's phones were basically sending the aforementioned call, location, and text data from users to a server in Shanghai every 72 hours. Kryptowire singled out the BLU R1 HD smartphone as an example. The spyware basically let Adupts act as the phone's "user" — according to CNET, this meant the Chinese company could remotely take screenshots, make calls, and record the screen. In September 2016, Adups said its technology was in 700 million phones worldwide.

In response, Amazon temporarily stopped selling some BLU phones, and BLU in December 2016 pledged to replace the Adups software with programs from Google.

But Kryptowire then gave a barn-burning presentation at the 2017 Black Hat conference, an annual computer-security gathering in Las Vegas, warning that Adups had not so much fixed its data-leakage problem as made the spyware more difficult to locate and that some BLU phones were still secretly transmitting data overseas. BLU always maintained that the Adups programs were not "spyware" and that its terms-of-service agreements warned users that some of their data might be stored in overseas servers; the company added in a 2017 news release that "there is absolutely nothing wrong with having a server in China."

Instead, Amazon temporarily pulled BLU's phones from its website again in August 2017, one week after the Black Hat conference. And last month, the FTC hit BLU with a formal "deceptive practices" complaint alleging that the company had misled users into believing the company was collecting only routine, necessary data and that it had falsely told consumers it had in place privacy procedures to protect their data.

"As a result, ADUPS collected sensitive personal information via BLU devices without consumers’ knowledge and consent that it did not need to perform its contracted services," the FTC said in a release Monday. "In addition, ADUPS software preinstalled on BLU devices contained common security vulnerabilities that could enable attackers to gain full access to the devices."

Corrections: Several points in this story have been changed to reflect that the FTC did not allege Blu had actively share data and that the company had policies in place to protect data.