A Chinese manufacturer has installed ‘backdoor’ software on 700 million Android phones that shares data without users knowing.
The software forces the phones to send all the device’s text messages to a server in China every 72 hours.
A lawyer representing the company that created the firmware said it was designed for a Chinese client and never intended for use on phones elsewhere.
But one Miami-based phone manufacturer, BLU Products, said 120,000 of its phones had been affected and it has updated the software to eliminate the feature.
The feature was first discovered by Virginia-based security firm Kryptowire.
‘Kryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users’ consent,’ a statement issued today said.
‘These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD.’
The devices actively transmitted user and device information including ‘the full-body of text messages, contact lists, call history with full telephone numbers’ and identifiers, the company said.
Shanghai Adups Technology Company, a Chinese company, designed the software to help a Chinese phone manufacturer monitor user behaviour.
Adups claims to have a worldwide presence with a market share exceeding 70 per cent across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami.
Its software runs on more than 700 million mostly low-end devices, cars and other smart products worldwide.
The same version of the software was not meant for use on American phones, according to Matt Apuzzo at the New York Times, who first reported the discovery.
International customers and people who use disposable or prepaid phones are most affected by the software, the report says.
Kryptowire first discovered the software because one of its researchers bought the BLU R1 HD, for a trip overseas, when he noticed unusual network activity.
After analysts studied the phone for a week they saw it transmitting text messages to a server in Shanghai.
But the software is difficult to detect.
‘Even if you wanted to, you wouldn’t have known about it,’ Tom Karygiannis, a vice president of Kryptowire, told the New York Times.
‘This isn’t a vulnerability, it’s a feature,’ he told The Verge.
MailOnline has approached Adups and BLU for comment.
Samuel Ohev-Zion, the chief executive of the Florida-based BLU Products, told the New York Times: ‘It was obviously something that we were not aware of.
‘We moved very quickly to correct it.’
He added Adups had assured him all of the information taken from BLU customers had been destroyed.
Lily Lim, a lawyer representing Adups, said the software was intended to help an unidentified Chinese client identify junk text messages and calls.
She did not know how many phones were affected.
Earlier this month, China passed a controversial cybersecurity bill, tightening restrictions on online freedom of speech.
The bill also imposes new rules on online service providers, raising concerns it is further cloistering its heavily controlled internet.
The legislation, passed by China’s largely rubber-stamp parliament and set to take effect in June 2017, is an ‘objective need’ of China as a major internet power, a parliament official said.
Chinese authorities have long reserved the right to control and censor online content.
The country stepped up controls in 2013, launching a wide-ranging internet crackdown.
Under regulations announced at the time, Chinese internet users face three years in prison for writing defamatory messages that are re-posted 500 times or more.
They can also be jailed if offending posts are viewed more than 5,000 times.