Down the Rabbit Hole with a BLU Phone Infection

Much-maligned BLU phones have been a privacy and spyware nightmare. Threatpost shares the story of one victim who experienced firsthand a relentless wave of unwanted programs, spyware and frustration.

When network administrator James Lockmuller bought 11 dirt-cheap Android phones via Amazon he thought he had a perfect solution for communicating with his warehouse team stretched across a 73,000 square-foot campus. He installed only Skype on the devices and planned to use the $50 BLU Studio X8 HD phones as high-end walkie-talkies on a Wi-Fi network.

Two weeks into rolling out the phones things went sideways.

“After 14 days of acting normal, an app called Setting installed itself mysteriously on the handsets, giving itself full permissions over the phones,” Lockmuller said. “The phone started popping up installers and displaying ads for other apps. I uninstalled Setting and everything else I could. But the apps kept reinstalling themselves,” he said.

Things went from bad to worse. His phones began spewing ads for virtual slot machine games and mysteriously installing apps with no firsthand user interaction. The phones had a mind of their own, he recalls, beeping, vibrating and constantly cycling through flashy obtrusive ads and installing apps and utilities.

When Lockmuller contacted Miami-based BLU Products’ technical support about his phones, he was told the problem was on his end. He must have downloaded a malicious app, he was told. Lockmuller said “impossible.”

The network administrator nearly blew a gasket. After all, he was giving the phone maker a second chance after rampant allegations that BLU phones were secretly siphoning off user data and sending it to a Chinese firm. BLU Products was at the tail end recovering from allegations made by security firm Kryptowire in July that claimed that some BLU phones (R1 HD and Life One X2) had a backdoor and leaked personal data such as the full-body of text messages, call history and unique device identifiers to a third-party firmware company called Adups Technology Co. That incident culminated in Amazon temporarily halting the sale of the BLU phone.

Adups claims on its website 700 million devices, including cars and other connected devices, use its software.

11 PHONES, 11 PROBLEMS

At the time, BLU vigorously fought the allegations leveled by the security firm Kryptowire. It posted to its site: “BLU Products responds to inaccuracies reported by several news outlets making clear that there is absolutely no spyware or malware or secret software on BLU devices, these are inaccurate and false reports. BLU is reaching out to several reporters to correct their articles and issue apologies.”

Ad from BLU phoneBy this time, Lockmuller’s BLU phones were so junked-up with unwanted apps and ads they were unusable, he said. All 11 of the BLU Studio X8 HD phones purchased from BLU Products via Amazon began to exhibit the same behavior.

“These phones only had one app installed, Skype, directly from the Google Play app store. After installing Skype, I disabled the app store completely as well as the browser. This is not an issue that rode along with a bad app or from browsing the internet,” he said.

When Threatpost contacted BLU to inquire on Lockmuller’s behalf, BLU once again vigorously defended its phones stating the fault was Lockmuller’s. Company officials explained he must have downloaded malware onto his own phone.

“We believe this to be a customer error in which the end user must have downloaded an app with ads or clicked on a website ad that must have caused spam ads to appear. Whether the customer did or did not update his device, a Studio X8 HD would never exhibit this type of behavior,” said Samuel Ohev-Zion, CEO of BLU Products in an email statement to Threatpost.

However, when Threatpost investigated a rash of user complaints posted to Amazon complaining of similar obnoxious adware, Ohev-Zion softened his stance in a second email.

Threatpost found more than a dozen negative Amazon reviews where buyers complained of similar aggressive advertising on their BLU Studio X8 HD phones that was so overwhelming the phones were difficult to use.

One review claimed after 14 days their BLU phone self-installed malware and a “massive amount of apps.”  Another review stated; “Phone started downloading apps the moment it had network access even after a factory reset. Filled memory to the point it rendered the phone effectively inoperable.”

On Aug. 17, when asked to address Lockmuller and other negative reviews, Ohev-Zion agreed to look into Lockmuller’s claims. “We would like to have the device which your contact is saying has these issues, so we can properly investigate,” Ohev-Zion told Threatpost. He offered to upgrade Lockmuller’s phones to a different BLU model or exchange his phones for a gift card.

When Threatpost attempted to follow-up with Ohev-Zion later in the month he did not return repeated email and phone requests.

BLAME IT ON THE FIRMWARE

To better understand what exactly was going on with Lockmuller’s phones—below shows the Setting app—Threatpost asked researchers at the mobile research firm Lookout to analyze two of the phones purchased by Lockmuller. To further verify its findings, Lookout purchased four additional BLU Studio X8 HD phones of its own to investigate what was going on.

According to that forensic analysis, Lookout determined the culprit behind the mysterious app installs and bombardment of ads was the firmware BLU used, China-based Adups Technology. Adups Technology was the same firm identified by Kryptowire earlier in the year accused of secretly siphoning off user data without consent from BLU phone owners.

An examination of the phones concluded that the Adups was contracted by BLU to handle firmware updates on the BLU Studio X8 HD phones Lockmuller purchased. The company was also used to show some context-relevant ads on the phone, Lookout said.

Lookout concluded the BLU Studio X8 HD phones running the adware used Adups firmware build 13. That firmware was also running on all of Lockmuller’s phones and two of the Lookout phones. Two of the other Lookout BLU Studio X8 HD phones were running firmware build 15 and did not exhibit the same behavior.

Lookout researchers don’t believe that Lockmuller inadvertently downloaded a malicious app responsible for the infections. The point of infection, researchers said, was via a malicious ad component downloaded silently via Adups’ advertising backend platform. Lookout determined the phones were infected by a hybrid of Shedun and Ztorg malware, which is an auto-rooting Android adware that typically installs as a system application with highly privileged status.

Through its investigation, researchers believe BLU may have attempted to mitigate against the adware by updating the phone’s firmware from v13 to v15. However, the v13 firmware running on affected phones was unable authenticate the newer version and upgrade attempts failed.

Adups did not respond to repeated attempts by Threatpost seeking comment for this story.

ROOT OF THE MATTER

With Lookout’s BLU v13 phones, researchers documented identical network behavior to Lockmuller’s phones. After two weeks, the phones began attempting to reach out to URLs maintained by Adups for updated advertising modules, content and instructions, researchers said. However, Lookout said pre-programmed URLs had gone dormant by the time it tried and generated “502 bad gateway” error messages indicating the URL resources were offline.

“We believe BLU tried to correct the problem by sending out an OTA update from Adups, but the firmware kept failing to install. Any malware that was on (Lockmuller’s) phones could not be removed,” said Andrew Blaich, security researcher at Lookout.

The BLU Studio X8 HD v15 purchased by Lookout appeared to be operating fine after two weeks of tests.

Meanwhile Lookout researchers said they observed the Shedun/Ztorg malware on Lockmuller’s phones not just display a blizzard of ads, but given their system-level status and root privileges, were also installing copious numbers of Android applications without user consent.

Blaich said the phone was essentially hijacked by a malicious unidentified advertising network that enlisted the phones as part of an automated ad network used to earn money via ads and commissions for “organic” app installations by users.

“Once you get the initial infection on the phone, all bets are off. The malware just keeps installing more ad components, more apps and everything overlays everything else and the phone runs out of space and it just becomes totally unusable,” Blaich said.

Lockmuller was able to receive a full refund from Amazon for nine of the 11 phones purchased. The additional two phones are still being examined by Lookout.

Suggested articles