If you've used certain kinds of disposable or prepaid Android phone, your device may have been unknowingly transmitting personal data and usage information to a Chinese server, according to a new report released by security contractors at Kryptowire.
As reported by the New York Times, code written by Shanghai Adups Technology Company was preinstalled on some Android phones and used to monitor where users go and record communication data including call logs and text messages.
From the article:
Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. "Even if you wanted to, you wouldn't have known about it," he said.
Making things all the more troubling was the fact that this was no bug in the code, but instead an intentional effort by Adups to "help a Chinese phone manufacturer monitor user behavior" via device firmware. This information comes from a document Adups provided to executives from BLU, a U.S-based manufacturer of budget Android devices. According to BLU CEO Samuel Ohev-Zion, the company was unaware of the backdoor, but says that BLU moved quickly to correct it and has been assured by Adups that all information taken from Blue customers has been destroyed:
Mr. Ohev-Zion, the BLU chief executive, said he was confident that the problem had been resolved for his customers. "Today there is no BLU device that is collecting that information," he said.
Adups writes software code for phones, cars and other IoT devices, boasting on their website that they have 700 million active users across over 200 countries and regions. BLU told the NYT that 120,000 of its phones had been effected. The full scope and scale of this discovery still unclear at this time.
Android Central reached out to BLU for comment, but had not received a response as of press time.