• by Wendy Davis  @wendyndavis, April 30, 2018

Smartphone manufacturer Blu Products has settled charges that it violated privacy promises by allowing an outside company based in China to collect detailed information about consumers, the Federal Trade Commission said Monday.

The FTC alleged that Blu, a Miami-based company that sells budget-priced unlocked Android phones, deceived consumers by allowing the China-based service provider Adups to collect a host of personal data.

Starting in 2015, Blu's devices were preinstalled with Adups, which was supposed to perform updates and issue security patches for devices connected to the Internet of Things, according to the FTC. Instead, the company -- which also offers advertising and data mining services -- allegedly gathered information including text messages, real-time geolocation data, phone numbers and contact lists.

Blu promised in its privacy policy that it would only share data with service providers if they had a business need for the information, the FTC's Lesley Fair writes in a blog post.

"Until at least November 2016, Adups software on Blu devices transmitted personal information about consumers to Adups’ servers in China without consumers’ knowledge and consent," the FTC writes in a blog post. "According to the complaint, Adups’ software transmitted consumers’ texts to its servers every 72 hours and sent back real-time location data every 24 hours. And let’s be clear: That’s not information Adups 'needed to perform their services or functions'."

The allegations emerged in November of 2016, when security firm Kryptowire issued a report about the Adups software. Blu updated its software, but "continued to allow Adups to operate on its older devices without adequate oversight," the FTC alleged.

Amazon suspended Blu in 2016, then again in 2017, in response to reports about the Adups software.

The agency's complaint, which names Blu and owner Samuel Ohev-Zion as defendants, also alleges that the company failed to honor its promises to implement "appropriate" security.

Instead, Blu devices' preinstalled software contained vulnerabilities that left consumers "susceptible to 'command injection' attacks, which an unknown third party could exploit to gain full access to users’ devices and, among other things, factory reset a device, take screenshots and video recordings of a device’s screen, and install malicious applications," the FTC alleged.

The settlement calls for Blu to refrain from misrepresenting privacy and security practices, and to implement a comprehensive security program. The company also will be subject to biennial audits for 20 years.