Software installed on some Android phones secretly monitored users, and even sent keyword-searchable, full text message archives to a Chinese server every 72 hours, according to research from security firm Kryptowire.
The software, which also tracked users’ location data and call logs, was written by the Chinese company Shanghai Adups Technology Company, but its purposes — state surveillance or advertising — are unknown. “This isn’t a vulnerability, it’s a feature,” Kryptowire vice president of product Tom Karygiannis said in a statement.
The news was first reported earlier in the morning by The New York Times.
Adups claims to have software running on more than 700 million, mostly low-end devices, and says it has partnered with some major manufacturers like Huawei and ZTE, but the scope of the installed software is also unclear. (Huawei and ZTE have not responded to this.) At least one US manufacturer, BLU Products, was affected, with 120,000 phones reportedly running the tracking software.
“BLU Products has identified and has quickly removed a recent security issue caused by a third party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices,” the company said in a statement.
Adups told the Times that the software was not meant for US phones.120,000
The incident is reminiscent of a problem with HTC devices, which, through lax security, allowed malicious athird parties to steal sensitive information. The company settled with the FTC in 2013 over the incident. But the Adups problem “is far more extensive,” Karygiannis says — logging more specific information on users without their knowledge, and through pre-installed software.