Researchers at Kryptowire recently discovered that some some disposable and prepaid Android phones house software that transmits sensitive user data, like text messages back to China. What makes this particular discovery unique is that the offending software isn’t a piece of third-party malware but rather ships with the phone itself. In addition to text message data, researchers found that the software also transmits user location data, contact lists, call logs and more.
As it stands now, it remains unclear how many existing phones are affected by what effectively amounts to spyware masquerading as firmware. The code itself was created by a Chinese company called Shanghai Adups Technology Company whose software is said to run on more than “700 million phones, cars and other smart devices” according to a report from The New York Times.
DON’T MISS: Best Buy Black Friday 2016 ad: iPhone 7, PS4 Pro bundle, TVs, and other huge deals
One U.S.-based handset manufacturer, Blu Products, told the Times that 120,000 of its budget smartphones were affected, though the company has since taken steps to remove it via a software update.
As for the underlying purpose of the code, that’s where things get a little bit convoluted. Shanghai Adups Technology Company said in a statement that the software at issue was never intended to reach smartphones in the United States. What’s more, the company claims that the software wasn’t designed to spy on customers per se, but rather to “monitor user behavior” in a general sense.
The software was written at the request of an unidentified Chinese manufacturer that wanted the ability to store call logs, text messages and other data, according to the Adups document. Adups said the Chinese company used the data for customer support.
Ms. Lim said the software was intended to help the Chinese client identify junk text messages and calls. She did not identify the company that requested it and said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.
Of course, you might want to take that explanation with a big grain of salt.
For what it’s worth, Google has reportedly told Adups to remove the offending software code from devices that house Google’s suite of services.