Security analysts have discovered that some smartphones sold in the US have been transmitting personal information, including the full content of text messages, to a server in China owned by Shanghai Adups Technology. The handsets were widely sold at online stores like Amazon and Best Buy and in some cases cost as little as $50.
According to Kryptowire, the data being sent back to the company was wide-ranging, and included IMSI and IMEI numbers, but perhaps more worryingly, the firmware also allowed for things like the remote installation of apps without user consent, the transmission of detailed location information and the ability to identify specific people or messages defined using keywords.
"The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices," Kryptowire added.
The only device named as affected in the announcement is made by Blu, which has since rolled out an update to remove all the data harvesting elements. The company confirmed that around 120,000 of its R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL and Energy Diamond handsets were all affected.
"BLU Products has identified and has quickly removed a recent security issue caused by a 3rd party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices. The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information," it said.
That's not likely to be a whole lot of comfort to people with those devices who have previously been using them totally unaware that their (very) personal data was being sent to a third-party without their consent. It's unconfirmed whether other brands of smartphone are affected.
Adups' lawyer told The New York Times that the software had been developed at the request of a domestic customer within China, and that the software had simply been installed on handsets bound for the US by mistake.
Would this stop you buying a low-cost smartphone from a smaller brand? Let us know in the comments below!