Software installed on some Android phones secretly monitored users, and even sent keyword-searchable, full text message archives to a Chinese server every 72 hours, according to research from security firm Kryptowire.
The software, which also tracked users’ location data and call logs, was written by the Chinese company Shanghai Adups Technology Company, but its purposes — state surveillance or advertising — are unknown. “This isn’t a vulnerability, it’s a feature,” Kryptowire vice president of product Tom Karygiannis told The Verge.
The news was first reported earlier in the morning by The New York Times.
Adups claims to have software running on more than 700 million, mostly low-end devices, and says it has partnered with some major manufacturers like Huawei and ZTE, but the scope of the installed software is also unclear. (Huawei and ZTE did not immediately respond to a request for comment.) At least one US manufacturer, BLU Products, was affected, with 120,000 phones reportedly running the tracking software.
“BLU Products has identified and has quickly removed a recent security issue caused by a third party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices,” the company said in a statement.
A Google spokesperson said the company was not aware of the issue until it was contacted by Kryptowire.
Adups told the Times that the software was not meant for US phones. “In June 2016, some Blu Product, Inc. devices applied a version of the ADUPS [firmware] application that inadvertently included the functionality of flagging junk texts and calls that had been requested by other ADUPS clients,” the company said in a statement to The Verge. “When Blu raised objections, ADUPS took immediate measures to disable that functionality on Blu phones.” The company says the data was not provided to others and has been deleted.
The incident is reminiscent of a problem with HTC devices, which, through lax security, allowed malicious third parties to steal sensitive information. The company settled with the FTC in 2013 over the incident. But the Adups problem “is far more extensive,” Karygiannis says — logging more specific information on users without their knowledge, and through pre-installed software.
Adups did not immediately respond to a request for comment.
Update, 10:47 AM ET: Includes statement from BLU.
Update, 1:23 PM ET: Includes statement from Google and Adups.