LOS ANGELES (CN) — A federal class action claims that spyware in thousands of inexpensive Android cellphones may have secretly transmitted purchasers’ personal data, contacts and text messages to a server in China.
Lead plaintiff Darren Martinez claims Miami-based phone maker Blu Products knowingly used low-level control software from co-defendant Shanghai Adups Technology Co. and its subsidiary Adups USA, which included the undisclosed spyware. The software was set to send users’ personal data to an Adups server in Shangai every 72 hours.
“Unbeknown to the class, they had purchased mobile phones that contained extensive spyware that was intercepting, collecting and retransmitting information and data that they entered into the products during their ordinary use,” according to the Dec. 2 complaint.
Martinez lives in Los Angeles, co-plaintiff Joe Mocnik in Tennessee. A similar class action against the same defendants was filed on Nov. 22 in Miami Federal Court. All citations in this article are from the Los Angeles lawsuit.
At least 120,000 Blu Products phones sold this year contain the suspect Adups software embedded in the software layer known as “firmware,” the complaint states.
Shanghai Adups makes the control firmware used in more than 700 million cellphones, tablets, automobiles and other devices, including many Blu Products devices. The Chinese company claims a 70 percent market share for such software in more than 150 countries.
News about the alleged spyware broke Nov. 15 in a report from computer security company Kryptowire. The company discovered that Blu Products phones with recent Adups firmware would transmit users’ full text messages, contact lists, call histories and unique device identifiers.
“The firmware could target specific users and text messages matching remotely defined keywords,” the Kryptowire report states. It also could execute system commands and reprogram the phones.
After the Kryptowire report, Adups apologized in a statement and issued updated firmware without the security vulnerabilities.
Blu Products said it moved quickly to upload the replacement firmware on its phones.
“Our customers’ privacy and security are of the upmost importance and priority,” the company said in a statement.
In a separate statement, Adups said it had created the information-transmitting application for unnamed clients who sought ways for users to flag and screen out junk texts and calls.
In June, some Blu Products devices received firmware that “inadvertently included” that application, the company said. It said that all the data from those devices has been deleted, and none was shared with outsiders.
“This is a private company that made a mistake,” an attorney for Adups told The New York Times.
Martinez’s attorney, Lawrence M. Rosen of Los Angeles, said he does not discuss his cases in the press.
His lawsuit presents a different view of what happened.
“The defendants knew that the products utilized the Adups spyware,” which “created serious security vulnerabilities, interfered detrimentally with the user experience, and otherwise rendered the products unfit for the purposes of which they were sold,” the complaint states.
It adds that Adups markets its services to companies that need “big data” analytics and that users’ personal information was sent to a server at the address “bigdata.adups.com.”
“Despite this awareness, the defendants caused the software to be installed because it financially benefited from the software through the use and review of the data intercepted,” according to the 40-page complaint.
It’s not enough that the defendants have apologized and replaced the offending application, the complaint states. “Despite the firmware update that purports to remove the spyware functions, the defendants, at any time, can push an update to the products that restarts the spyware functionality,” it claims.
The plaintiffs seek class certification and damages of up to $10,000 per user plus punitive damages for violations of the federal Wiretap Act and the federal Computer Fraud and Abuse Act, and for breach of warranty, fraud, deceptive advertising, negligence, invasion of privacy and violations of 20 states’ consumer protection laws.
In the Miami class action, lead plaintiff Aaron Bonds, of Alabama, is represented by Amy Zeman, with the Gibbs Law Group, of Miami Beach, assisted by Daniel Girard, with Girard Gibbs, in San Francisco.
Rosen’s law firm is assisted by Philip Kin and Christopher Hinton, both of New York City.