Low-cost Android phones collected calls, texts without permission

Personal data from phones, including several models from Blu, was being sent to third-party servers without disclosure or the users' consent, says security firm Kryptowire.

Dan Ackerman Editorial Director / Computers and Gaming
Dan Ackerman leads CNET's coverage of computers and gaming hardware. A New York native and former radio DJ, he's also a regular TV talking head and the author of "The Tetris Effect" (Hachette/PublicAffairs), a non-fiction gaming and business history book that has earned rave reviews from the New York Times, Fortune, LA Review of Books, and many other publications. "Upends the standard Silicon Valley, Steve Jobs/Mark Zuckerberg technology-creation myth... the story shines." -- The New York Times
Expertise I've been testing and reviewing computer and gaming hardware for over 20 years, covering every console launch since the Dreamcast and every MacBook...ever. Credentials
  • Author of the award-winning, NY Times-reviewed nonfiction book The Tetris Effect; Longtime consumer technology expert for CBS Mornings
Dan Ackerman
2 min read

Mobile phone company Blu sells low-cost Android phones.

Josh Miller/CNET

Several popular Android phones were collecting personal data -- such as text messages and call history -- without users' knowledge or consent, according to security firm Kryptowire.

Mobile phone company Blu sells low-cost Android phones and is a common sight on Amazon. Its $59 Blu Advance 5.0 is the No. 1 product the retailer's "unlocked cell phones" category. While that model wasn't affected, several other Blu phones were, including the Blu R1 HD. You can see the full list here.

Many low-cost Android phones, including several Blu models, "contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users' consent," said Kryptowire in a release Tuesday.

Blu responded by publishing a "Security Concern" notice, which includes instructions for making sure your phone has the company's software patch to disable the data collection.

"BLU Products has identified and has quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices," Blu said in the security notice. "Our customer's privacy and security are of the upmost [sic] importance and priority."

Blu didn't immediately responded to a request for comment.

The data potentially collected was extensive, according to Kryptowire. "These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers."

Where did the data go? Kryptowire says the data was "transmitted periodically without the users' consent or knowledge" to a server located in Shanghai.