A US security company says a Chinese-made smartphone popular in the United States forwarded detailed user data and user texts back to a Chinese server without the phone owner’s knowledge.
Virginia-based Kryptowire, which provides mobile security services to government agencies and private businesses, said late Tuesday that it had discovered the problem in a number of Android-based phones using firmware from the Chinese company Shanghai ADUPS Technology.
Those phones included the popular models from US manufacturer BLU Products, sold in stores around the country.
It said the firmware—software deeply embedded in the phone—periodically transmitted data that identified the device, the numbers called and received, contact lists and full text messages back to the server for unclear purposes.
It said the firmware could also execute remote commands and reprogram the smartphones from a remote location.
“The firmware could target specific users and text messages matching remotely defined keywords,” Kryptowire said in a statement.
The report sparked fresh worries that mobile device makers—in this case Chinese—could surreptitiously suck more personal data from a person’s phone or tablet than they admit to doing, for use commercially or, for example, in espionage.
In a statement Wednesday, Shanghai ADUPS said the firmware had been designed to help screen out junk texts and calls.
An automatic update to it made for other clients had “inadvertently” been installed on BLU Product phones, it said, and has since been disabled after objections from BLU.
“No information associated with that functionality, such as text messages, contacts, or phone logs, was disclosed to others and that any such information received from a Blu phone during that short period was deleted,” it said.
Shanghai ADUPS’ website says its software and firmware update services reach 700 million users around the world.
Samsung phones reportedly catch fire in China