Down the Rabbit Hole with a BLU Phone Infection

Much-maligned BLU phones have been a privacy and spyware nightmare. Threatpost shares the story of one victim who experienced firsthand a relentless wave of unwanted programs, spyware and frustration.

When network administrator James Lockmuller bought 11 dirt-cheap Android phones via Amazon he thought he had a perfect solution for communicating with his warehouse team stretched across a 73,000 square-foot campus. He installed only Skype on the devices and planned to use the $50 BLU Studio X8 HD phones as high-end walkie-talkies on a Wi-Fi network.

Two weeks into rolling out the phones things went sideways.

“After 14 days of acting normal, an app called Setting installed itself mysteriously on the handsets, giving itself full permissions over the phones,” Lockmuller said. “The phone started popping up installers and displaying ads for other apps. I uninstalled Setting and everything else I could. But the apps kept reinstalling themselves,” he said.

Things went from bad to worse. His phones began spewing ads for virtual slot machine games and mysteriously installing apps with no firsthand user interaction. The phones had a mind of their own, he recalls, beeping, vibrating and constantly cycling through flashy obtrusive ads and installing apps and utilities.

When Lockmuller contacted Miami-based BLU Products’ technical support about his phones, he was told the problem was on his end. He must have downloaded a malicious app, he was told. Lockmuller said “impossible.”

The network administrator nearly blew a gasket. After all, he was giving the phone maker a second chance after rampant allegations that BLU phones were secretly siphoning off user data and sending it to a Chinese firm. BLU Products was at the tail end recovering from allegations made by security firm Kryptowire in July that claimed that some BLU phones (R1 HD and Life One X2) had a backdoor and leaked personal data such as the full-body of text messages, call history and unique device identifiers to a third-party firmware company called Adups Technology Co. That incident culminated in Amazon temporarily halting the sale of the BLU phone.

Adups claims on its website 700 million devices, including cars and other connected devices, use its software.

11 PHONES, 11 PROBLEMS

At the time, BLU vigorously fought the allegations leveled by the security firm Kryptowire. It posted to its site: “BLU Products responds to inaccuracies reported by several news outlets making clear that there is absolutely no spyware or malware or secret software on BLU devices, these are inaccurate and false reports. BLU is reaching out to several reporters to correct their articles and issue apologies.”

Ad from BLU phoneBy this time, Lockmuller’s BLU phones were so junked-up with unwanted apps and ads they were unusable, he said. All 11 of the BLU Studio X8 HD phones purchased from BLU Products via Amazon began to exhibit the same behavior.

“These phones only had one app installed, Skype, directly from the Google Play app store. After installing Skype, I disabled the app store completely as well as the browser. This is not an issue that rode along with a bad app or from browsing the internet,” he said.

When Threatpost contacted BLU to inquire on Lockmuller’s behalf, BLU once again vigorously defended its phones stating the fault was Lockmuller’s. Company officials explained he must have downloaded malware onto his own phone.

“We believe this to be a customer error in which the end user must have downloaded an app with ads or clicked on a website ad that must have caused spam ads to appear. Whether the customer did or did not update his device, a Studio X8 HD would never exhibit this type of behavior,” said Samuel Ohev-Zion, CEO of BLU Products in an email statement to Threatpost.

However, when Threatpost investigated a rash of user complaints posted to Amazon complaining of similar obnoxious adware, Ohev-Zion softened his stance in a second email.

Threatpost found more than a dozen negative Amazon reviews where buyers complained of similar aggressive advertising on their BLU Studio X8 HD phones that was so overwhelming the phones were difficult to use.

One review claimed after 14 days their BLU phone self-installed malware and a “massive amount of apps.”  Another review stated; “Phone started downloading apps the moment it had network access even after a factory reset. Filled memory to the point it rendered the phone effectively inoperable.”

On Aug. 17, when asked to address Lockmuller and other negative reviews, Ohev-Zion agreed to look into Lockmuller’s claims. “We would like to have the device which your contact is saying has these issues, so we can properly investigate,” Ohev-Zion told Threatpost. He offered to upgrade Lockmuller’s phones to a different BLU model or exchange his phones for a gift card.

When Threatpost attempted to follow-up with Ohev-Zion later in the month he did not return repeated email and phone requests.

BLAME IT ON THE FIRMWARE

To better understand what exactly was going on with Lockmuller’s phones—below shows the Setting app—Threatpost asked researchers at the mobile research firm Lookout to analyze two of the phones purchased by Lockmuller. To further verify its findings, Lookout purchased four additional BLU Studio X8 HD phones of its own to investigate what was going on.

According to that forensic analysis, Lookout determined the culprit behind the mysterious app installs and bombardment of ads was the firmware BLU used, China-based Adups Technology. Adups Technology was the same firm identified by Kryptowire earlier in the year accused of secretly siphoning off user data without consent from BLU phone owners.

An examination of the phones concluded that the Adups was contracted by BLU to handle firmware updates on the BLU Studio X8 HD phones Lockmuller purchased. The company was also used to show some context-relevant ads on the phone, Lookout said.

Lookout concluded the BLU Studio X8 HD phones running the adware used Adups firmware build 13. That firmware was also running on all of Lockmuller’s phones and two of the Lookout phones. Two of the other Lookout BLU Studio X8 HD phones were running firmware build 15 and did not exhibit the same behavior.

Lookout researchers don’t believe that Lockmuller inadvertently downloaded a malicious app responsible for the infections. The point of infection, researchers said, was via a malicious ad component downloaded silently via Adups’ advertising backend platform. Lookout determined the phones were infected by a hybrid of Shedun and Ztorg malware, which is an auto-rooting Android adware that typically installs as a system application with highly privileged status.

Through its investigation, researchers believe BLU may have attempted to mitigate against the adware by updating the phone’s firmware from v13 to v15. However, the v13 firmware running on affected phones was unable authenticate the newer version and upgrade attempts failed.

Adups did not respond to repeated attempts by Threatpost seeking comment for this story.

ROOT OF THE MATTER

With Lookout’s BLU v13 phones, researchers documented identical network behavior to Lockmuller’s phones. After two weeks, the phones began attempting to reach out to URLs maintained by Adups for updated advertising modules, content and instructions, researchers said. However, Lookout said pre-programmed URLs had gone dormant by the time it tried and generated “502 bad gateway” error messages indicating the URL resources were offline.

“We believe BLU tried to correct the problem by sending out an OTA update from Adups, but the firmware kept failing to install. Any malware that was on (Lockmuller’s) phones could not be removed,” said Andrew Blaich, security researcher at Lookout.

The BLU Studio X8 HD v15 purchased by Lookout appeared to be operating fine after two weeks of tests.

Meanwhile Lookout researchers said they observed the Shedun/Ztorg malware on Lockmuller’s phones not just display a blizzard of ads, but given their system-level status and root privileges, were also installing copious numbers of Android applications without user consent.

Blaich said the phone was essentially hijacked by a malicious unidentified advertising network that enlisted the phones as part of an automated ad network used to earn money via ads and commissions for “organic” app installations by users.

“Once you get the initial infection on the phone, all bets are off. The malware just keeps installing more ad components, more apps and everything overlays everything else and the phone runs out of space and it just becomes totally unusable,” Blaich said.

Lockmuller was able to receive a full refund from Amazon for nine of the 11 phones purchased. The additional two phones are still being examined by Lookout.

Suggested articles

Discussion

  • Bob on

    I bought my first (only) Blu phone Jan 2016. It was a Blu Life One X (2016 edition). The company promised on their website and social media it would receive the update to 6.0. Constant inquiry to them resulted in a response of 'we are working to update the phone'. Over 16 months of promises, they are no longer supporting the phone (which is now bricked due to unknown reasons), and I've moved on to a Moto G5Plus, which has seen at least 3 security updates since purchasing back in May 2017. I cant even recommend Blu branded phones to people I hate.
    • BLU Products on

      Hello Bob, We are really sorry about any issues you may be experiencing with your device, and we would love to look into this further with you. We are going to need more details as to the exact issues you are experiencing. If you would please reach out to us directly at 1-877-639-6393 or www.bluproducts.com/service one of our technical support representatives would be happy to look into this with you.
      • treFunny on

        @BLU, STOP!!!! go away go away go away!!!!!!!
      • Bob on

        How about this. I am tired of reaching out to you guys, getting the run around. You guys can reach out to me (you have my info on your Facebook feed and prior messages on Facebook), and I will let you know whats going on.
  • Lucas De Souza on

    I had two BLU phones, but I replaced them. The company don't work on updates. So now I used Xiaomi devices and they are updated frequently.
    • BLU Products on

      Hello Lucas De Souza, We are really sorry to hear this and we apologize that such updates has yet to be released. Please know that we strive to have our phones up to date as much as we can and that our Software Team is working really hard on doing so. If you have any more questions in regards to the update or have experienced any issues, please contact us at 1-877-639-6393 or www.bluproducts.com/service
  • Larry D. Dixon on

    Ihave a blu now that im sending back to Amazon because its doing all kinds of crazy stuff. Im going to a moto g5. Do not buy a Blu !
    • BLU Products on

      Hi Larry D. Dixon, We are really sorry you had a poor experience with the device, and we would really like to help resolve any issues or problems you may be experiencing. In order to help, we will need more details about exactly what is wrong with the device. You can reach us directly at 1-877-639-6393 or www.bluproducts.com/service and one of our techs would be happy to help you resolve this. I
  • Julie Parker on

    My husband and I have a Blu phone. It keeps popping up "My Account is denied to obtain your current position." It happens about every 15 seconds. My husband and I are on a V.A. pension and don't have the money to pay the high prices for a new phone. What can I do? Help please.
    • BLU Products on

      Hi Julie Parker, It is very unfortunate to hear you have been experiencing these complications with your device. Our tech support team will be more than glad to assist you with them, please reach out to us at 1-877-639-6393 or www.bluproducts.com/service so they could further investigate such issues with you.
  • A on

    BLU Studio XL2 exhibits same behavior.
    • BLU Products on

      Hello A, We apologize for any issues that may have come up and you are experiencing at this time. We would love to further investigate the cause of such complications, in order to do this please contact our tech support team at 1-877-639-6393 or www.bluproducts.com/service where one of our agents will be ready to assist you.
  • Anonymous on

    Yep, no problem lettin' those Chinese guys build and manage our devices, is there? Nope, nothing to see here...
    • BLU Products on

      Hi Anonymous, We can definitely understand your concern, and want you to know that we take these security issues very seriously. We invite you to check the following site ( http://www.prnewswire.com/news-releases/blu-responds-to-inaccuracies-in-several-stories-from-last-week-regarding-its-devices-300496680.html ) for more information in regards to these allegations.
  • Poppy on

    Been using Blu for a few years without too much of a problem. Only negatives are slow(any) updates and middle of the road specs. Basically you get what you pay for and for me that works. I'm on my 3rd phone and can't really complain. Beats spending $800 on a Samsung....just sayin'
    • BLU Products on

      Hi Poppy, We would like to let you know that as company we always strive to have our devices as up to date as possible. We apologize for any previous delays and any inconvenience these may have caused you. If you have any questions, please know you can always reach out to us at 1-877-639-6393 or www.bluproducts.com/service
  • June on

    I know what you mean,I have a 6.0,blue 4g LTE and had to get another phone that's just as bad and doing the same thing...
    • BLU Products on

      Hi June, We are really sorry to know that you have been experiencing issues with your device. Please reach out to our tech support team at 1-877-639-6393 or www.bluproducts.com/service and one of our agents will be happy to assist you.
  • Goodguy on

    Amazon know about the malware on Blu phones I have reported to amazon and the state attorney general and I have return all the Blu phones I ever bought from Amazon and I put on Amazon a review pictures of the malware that on the phone and Malwarebytes had found on the phone
    • BLU Products on

      Hello Goodguy, We have addressed these previous allegations in regards to malware. Please visit the following site, to know that there is nothing to worry about: http://www.prnewswire.com/news-releases/blu-responds-to-inaccuracies-in-several-stories-from-last-week-regarding-its-devices-300496680.html
  • Jared on

    I had the same issues on the BLU Studio Max, and it persisted after a factory reset. I have two samples (apks) of what it installed on the phone.
    • BLU Products on

      Hello Jared, We would love to help you out with your Studio Max, that is currently presenting such issues. In order to do so, please reach out to our tech support team at 1-877-639-6393 or www.bluproducts.com/service so they can further assist you.
  • TimD on

    Thank God I was given a model w no sound as a gift. As an independent contractor it was impossible for me 2 use as my phone is my lifeline 2 work. Missing a call means missing a check. It's a huge problem on Vivo 5R. No audio whatsoever! No ring, alarms, video, or even being able 2 hear a caller. If ur able 2 get a model w audio the speaker is on the back of the phone. So the audio is still compromised unless ur holding it in ur hand & u still can't hear the audio on videos. If phone is laid on a flat surface, u can't hear it ring. I can't think of anything more obvious right out of the box than this 2 tell customers THIS IS NOT A PHONE! It was never designed 2b a phone. The bloatware is obvious. I had 2 disable Google Play immediately. As soon as u connect 2 a wifi the phone blows up installing random apps for hours on end. The most malicious is called "Wireless Update." I keep Google Play disabled & I use as a spare camera or to read articles online using Chrome. I also use a little 808 Bluetooth speaker 2 watch videos. I don't use apps & just keep everything disabled. The hardware design makes it abundantly clear, this product was never intended to be a phone, or act like a phone. It's nothing but handheld spyware & malware.
    • BLU Products on

      Hi TimD, We are terribly sorry to find out that your phone is currently experiencing these audio issues. We would love to further investigate such complications and find the reason that's causing them. Please contact us at 1-877-639-6393 (U.S.A) or www.bluproducts.com/service
  • Crizzy on

    I am on a 2016 BLU Life One X right now and it has been running 6.0 for quite awhile so what are you talking about?
    • Bob on

      @Crizzy Thats good that you are running Android 6.0. I waited until May 2017 (owned the phone since January 2016) to switch off my Blu Life One X 2016 (with no Android 6.0 in sight at that time) to a Moto G5+ (which had Android 7.0). So far I have received 2-3 security updates for issues that came up (never for my Blu phone in the 1.5 years I owned it). My Blu phone didnt even start bricking until a month or two after that (possibly WHEN it finally received 6.0). So I cant even with good faith recommend Blu products EVEN if their firmware was 100% safe.
  • nublet on

    I have had a Blu R1 HD for about six months now, and I absolutely love it. sure it's not as fast as other phones, but it was $60, and it performs way better than an honor 5x.
  • Fonda Miller on

    My phone is a Blu vivo 5 what do you think,am I ok or do I need to worry?
    • BLU Products on

      Hi Fonda Miller, You have nothing to worry about. If you have any questions or concerns in regards to your device or if you have been experiencing any issues, please reach out to us at 1-877-639-6393 or www.bluproducts.com/service and one of our techs will be ready to assist you.
  • Cindy A Taveira on

    My phone runs very slow; turns itself on and off. Unsolicited apps keep occurring . BLU Life one X.
    • BLU Products on

      Hello Cindy A Taveira, It is very unfortunate to hear you have been experiencing these complications with your device. Our tech support team will be more than glad to assist you with them, please reach out to us at 1-877-639-6393 www.bluproducts.com/service so they could further investigate such issues with you.
  • Gizmo Jones on

    I've been using the R1-HD for over a year and it works great for the price. I've also purchased no less than 6 other BLU phones for various uses and I've never had any issues. These concerns are legitimate, but by no means affect all phones they make. I do hope though that they stop using that particular firmware. Also, I've heard of several people getting this type of malware on other Android devices too, not exclusively a BLU problem.
  • Robert on

    Have BLU Vivo XL for a bit over a year now, no issues here thankfully. Best $150 I've ever spent on a phone. Sorry to see so many other people reporting problems...
  • Kyle reddell on

    I purchased a blu studio xl2 from Amazon months ago, and the exact same things were happening in this article. The only solution I found was to root the phone and freeze every app that was causing the behavior. It was still only temporary, and the ads would pop up occasionally until I repeated the process. It was so frustrating I was relieved when I "accidentally" smashed it to a million pieces one drunken night at the bar when I couldn't google properly without ads for candy cookie sweeties soda pop crush smash whatever popping up. Never. Again.
    • BLU Products on

      Hi Kyle Reddell, We apologize for any issues that may have come up and you are experiencing at this time. We would love to further investigate the cause of such complications, in order to do this please contact our tech support team at 1-877-639-6393 www.bluproducts.com/service where one of our agents will be ready to assist you.
  • Scott on

    I have a Blu vivo 5r running Android v7.0. no problems what so ever. Sorry other people are having problems
  • Aaron on

    I've had 3 different BLU phones. All worked fine. My most recent had kept up with some of the high ends for a while but is now falling behind. I've never had a real problem with the phones. Sucks for those who get the short straw.
  • Jimbo on

    I've never had an issue with any BLU Phone.
  • Alimon Wegbe on

    I have a BLU PURE XL always the wireless update pop's out but never update.
  • Lindi on

    My second Blu phone vivo xl. Had a problem with the battery a year ago. I contacted Blu and they were willing to have me send my phone to them. All I wanted was a new battery. I finally contacted Amazon and that night they sent me a new phone and gave me the RA for a free return of the old phone. Amazon's warranty had run out 6 months earlier. It's a year later and I'm again having trouble with the battery. This time I was able to buy a new battery. I think these batteries are a knock-off because they are much lighter and lose power completely in just a few hours. This has been the longest period of time I have used my phone so over usage can't be to blame.
  • Ben on

    It is nice the Amazon was willing to refund Lockmuller after BLU support refused to even correctly acknowledge the issue. However, this situation seems to point to poor policy enforcement by Google which may extend beyond BLU. It should be a violation of the phone OEM license for the Google Services Framework and Google Play Store app to have firmware which leads to fraudulent ad clicks and app installs. While BLU may claim they were not aware this activity was taking place on their phones, it seems very clear they refused to even research the possibility of their license violation in favor of blame the customer. Google should be doing more to encourage Android users to report violations back to Google directly. Instead, it is easier to reach out to Lookout than Google. The end result is regardless of what Lookout finds, BLU still retains their license to distribute Google Play. This environment is a problem for multiple groups. The people purchasing ads can not trust ad click counts they pay for to be legitimate, app developers have to compete against other apps with artificially inflated install counts and budget Android users can't count on the availability of Google Play to mean there won't be malicious activity in the firmware. Bottom line for me: Do not buy any device that isn't listed as supported by TWRP (TeamWin Recovery Project). Even if you don't intend to use a third-party ROM, the availability of third-party ROMs can help keep a phone OEM honest by putting pressure on them. Without that option, the OEM holds all the leverage and seems much more likely to abuse that power as can be shown by the actions of BLU support and Samuel Ohev-Zion.
  • MckinneyMan on

    Don't trust a word anyone from BLU states.... They lie to cover their butt's and refuse to assist. They give false promises of help and updates and to this day they lie and say there is nothing wrong but if you actually send your phone to them they will return it stating there is nothing wrong and that the coverage is now ended and your on your own.. I have 5 vivo xl's that are bricked due to their software and they say i am to blame... right after I purchased these phones and set them up and right after that I had issues with my credit, bank and loans I never opened.. found out it was the phones due to spyware.... never again will I buy cheap phones.
  • KG on

    Nice thread. I won't ever be buying a Blu phone... Root of the problem is in the fundamentals. ISPs should be of liable for the security and privacy policies of manufacturers. Likewise, manufacturers should be proactive and should not deprecate their security and should not discontinue sending regular security updates on older model phones. It is also a vendor/third party that exposes you further to supply chain malware. It is clearly evident in Blu/Adups. It is also painfully evident with LG/Verizon as well, for example, and both maintain plausible deniability. But all in all, this problem is systemic in the modern business world. Business as usual.
  • J on

    I have a Blu Vivo 5r, this is a fantastic phone for the money. I'm sorry to hear about the software problems some folks are having, personally I haven't experienced anything of that sort. At least the phone's aren't overheating and starting fires or exploding.
  • IT expert on

    I own a blue eo 5.0 and keeps installing malicious aps over and over, it has factory installed malware that has absolute privileges and automatically enables the "unknown sources" option for apps, automatically turns data on in orde to have access to the net and I keep unchecking those setting and uninstalling apps several times during the day. The money lost due to having ti perform these corrections is simply outrageous. Moral to everyone out there: NEVER BUY BLU !!! Staying away from that company will be the best money saver you could ever get. It ia unbelievable that they pay someone to try to soften with "support" comments posted here BLU's illegal actioms and deliberate breach of privacy. Just think about all of your personal and financial data being sent to China or elsewhere and you will find a ton of compelling reasons to never buy a Blu phone. Don't even accept it as a gift. It is like a loaded machine gun that keeps firing on the user several times a day and causing exponential damage.
  • Brad on

    I got a Blu Studio XL 2 earlier this year and it has been nothing but an ad magnet onto itself. There is something seriously wrong with how they sell these phones and how they blatantly lie. They will also do anything to pass the blame onto the user.
  • Jonathan G on

    I am having the save issue with a Blu Tank Extreme 5. Self installing fake system and security apps. Full screen pop-ups, sometimes of Asian porn, I kid you not! A great phone for an 11 year old. Unable to update as it prompts me that it has been rooted. Phone is stock. I've narrowed it down to HTMLviewer.apk, which is a system application that can not be removed.
  • Ben on

    Johnathan G: The Over The Air (OTA) method of updating a stock Android makes assumptions about the layout and state of the system. Once malware is able to put a phone into a rooted state, those assumptions can no longer be made. If OTA was to force it's changes blindly then it is likely you would get a phone that no longer starts correctly on boot (also known as bricked). When you narrowed it down to HTMLviewer.apk, did you get any information on it being identified as any specific type of malware (such as trojan.dropper.agent.d or trojan.android.sivu.c)? BLU support may be able to assist with perform a factory ROM flash over USB using ADB (Android Debug Bridge) running on a computer. However, I am not sure if their latest ROM images have been cleaned of malware or not. Members of the XDA Developer's forum seem have identified problem apps (HtmlViewer.apk and ignitebluoem.apk) in the stock ROM for the Blu Tank Xtreme Pro as of November 2017. Given that the newer Tank Xtreme Pro is still impacted, it seems likely the Tank Xtreme 5 latest ROM images are likely still infected as well. BLU's security concern page only seems to acknowledge problems with several older models and not either the Tank Xtreme 5 or Tank Xtreme Pro which seems to be a bad sign that they may only be addressing the issue periodically when a major company like Amazon forces them to and then going back to malware business as usual afterward. Also, while there is some discussion on using an unofficial modified ROM to address the issue for the Tank Xtreme Pro, I couldn't find any solution for the Tank Xtreme 5. If you are looking for a good budget phone for a 11 year old, I would recommend the Motorola Moto E. Lenovo/Motorola seem to care enough about their brand to avoid Asian porn or other Adups related activity as part of their stock ROM.
    • Jonathan G. on

      Ben - Right out of the box Malwarebytes found trojan.android.sivu.c in the HTMLViewer.apk. It looks like it also found Adware.YeMobi.a in the stock Fire.apk. I tried BLu's OTA wireless update, but it fails, stating the the phone is rooted (it's not - but the stock firmware has issues and fails the root integrity check). I have also been looking for a way to root and wipe this phone, but have come up empty. For now I have just about every apk uninstalled or disabled. Thank you for the recommendation, I will check out the Moto E.
  • JB on

    No problems at all with my Blu Tank Extreme Pro. Before even setting it up I disabled the Blu apps, uninstalled the junkware, and turned off the "auto update" feature in the OS. No lag, no ET-phone-home, no adware ... just a decent and functional inexpensive phone. Although I have not rooted this (disable or uninstall works just fine) TWRP is available for Blu phones and you can root and manually remove any questionable apps. Though my no-root approach has thus far been sufficient.
  • Edward on

    I've begun having problems with my Blu Life Max that sound remarkably similar to those described in this article. I purchased my phone early last year while it had a promotional discount. I'd been using it without issue until this week, when upon waking up one morning, I found that AVG had detected no fewer than three malwares that I had to remove. It is most fortunate that I had AVG installed already, as one of the malwares was apparently shutting my phone's WiFi off at every opportunity. The others were popping up advertisements for random games and apps that would stay on top of my screen unless I X'd them out. These malwares keep coming back every morning at around 2:30AM unless I turn my phone off. I'll use AVG or Malwarebytes to remove them, and then run a full scan to see if there's anything lingering which finds nothing, but they'll just come right back the next morning.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.