Update (8/5): Amazon has resumed selling some Blu phones after reviewing information sent by the maker. Meanwhile Blu has announced they're getting relisted calling it a "false alarm," it must be harsh to be out of Amazon if you're a small phone manufacturer.
Back in November last year, security firm Kryptowire discovered spyware on some unlocked budget Android handsets made by US manufacturer Blu Products. Sales were halted for a month, but it seems that wasn’t the end of the matter. Amazon has just suspended the company from selling on the site, again, because the malicious software is apparently still present.
The app in question is developed by a Chinese firm called Shanghai Adups Technology Company. Kryptowire researchers discovered it was collecting user data from the Blu R1 HD phone and surreptitiously sending it to servers in China.
During last week’s BlackHat security conference in Las Vegas, Virginia-based Kryptowire said certain Blu phones still contained the spying software, which it claims makes the handsets vulnerable to remote attacks, as well as call and text logging.
"They replaced [the malware] with nicer versions. I have captured the network traffic of them using the command and control channel when they did it," said Kryptowire co-founder Ryan Johnson. He found the information being sent overseas included what apps were installed on the phone, MAC addresses, IMEI, phone numbers, and cell phone tower IDs.
A Blu spokeswoman denies the company has done anything wrong, stressing that it has "several policies in place which take customer privacy and security seriously.” Regarding the data collection, the company said:
But it seems Amazon isn’t happy with Blu’s explanation. The retail giant told CNET that "because [the] security and privacy of our customers are of the utmost importance,” it has stopped sales of Blu handsets.