Android phone-maker BLU Products agreed to a proposed settlement on Tuesday with the Federal Trade Commission, over allegations it allowed the third-party firm Adups Technology to collect detailed consumer data from users without their consent.
In an administrative complaint filed earlier this week against BLU and the company’s co-owner and president Samuel Ohev-Zion, the FTC accused the firm of sharing with China-based Adups the full contents of their users’ text messages, real-time cell tower location data, call and text-message logs, contact lists, and applications used and installed on devices.
Ultimately, the FTC is alleging Ohev-Zion and BLU violated the FTC Act’s section pertaining to “deceptive representation regarding disclosure of personal information.” The proposed settlement will be made final after a 30-day public comment period.
In its proposed complaint, the FTC said Florida-based BLU contracted with Adups to issue security and operating system updates to millions of phones sold by the firm through Amazon, Best Buy and Walmart. In addition to allegedly failing to protect consumer privacy, the FTC asserts that BLU failed “to adequately assess the privacy and security risks of third-party software installed on BLU devices” resulting in “common security vulnerabilities that could enable attackers to gain full access to the devices.”
Issues with BLU phones became public in Nov. 2016, when security researchers at Kryptowire first reported that several models of BLU phones actively transmitted user and device information to Adups.
Problems allegedly snowballed for BLU from there, according to the FTC.
“Because pre-installed software on BLU devices contained commonly known security vulnerabilities that, for example, made them susceptible to ‘command-injection’ attacks…an unknown third party could exploit [these] to gain full access to users’ devices and, among other things, factory-reset a device, take screenshots and video recordings of a device’s screen, and install malicious applications,” the FTC wrote in its proposed complaint.
In a statement to Threatpost in July 2017, Adups said “issues from 2016 have been solved” and moving forward it would “only send completely safe and reliable (firmware over-the-air update) versions to [its] customers.” Yet in October, Threatpost worked with researchers at Lookout to examine a number of BLU phones bought by a Florida-based network administrator James Lockmuller in July 2017.
“After 14 days of acting normal, an app called Setting installed itself mysteriously on the handsets, giving itself full permissions over the phones,” Lockmuller said at the time. “The phone started popping up installers and displaying ads for other apps. I uninstalled Setting and everything else I could. But the apps kept reinstalling themselves.”
According to that forensic analysis, Lookout determined that the culprit behind the mysterious app installs and bombardment of ads was the firmware BLU used, provided by Adups. The firm observed malicious ad components being downloaded silently via Adups’ advertising back-end platform.
The proposed settlement agreement with the FTC does not include any financial penalty or consumer restitution over the alleged issues with affected phones, because in first offense matters such as this, the FTC lacks the power to levy such financial penalties. However, if BLU violated the final FTC settlement order, it could face a civil penalty of up to $41,484 per incident.
The proposed agreement would subject BLU to third-party security assessments every two years for 20 years, as well as require it to maintain compliance-monitoring requirements.
The FTC is inviting the public to comment on the settlement reached with BLU up until May 30. At that time, the Commission will decide whether to make it final.