That cheap Android phone you are using could be secretly relaying texts and other information to a server in China, a tech security firm says.
The firm, Kryptowire, says it has found tens of thousands of Android phones, many inexpensive and many pre-paid, that transmit information including "the full body of text messages, contact lists, call history with full telephone numbers" along with security details related to the phones.
The phones Kryptowire studied included popular models such as the BLU R1 HD that sell for as little as $50 from Amazon and Best Buy. The bug has since been removed from more than 100,000 BLU Products phones, the company told the The New York Times.
“It was obviously something that we were not aware of. We moved very quickly to correct it," Blu Products CEO Samuel Ohev-Zion said.
It's not clear how many U.S. phones might still contain the bug, however.
"The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge," Kryptowire said in a statement. "The collected information was encrypted with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai."
Texts were transmitted back to China every 72 hours. Personal information was transmitted every 24 hours. It's not clear what someone is Shanghai is doing with all that information — advertisers would consider it useful, but so could Chinese intelligence.
The software company that wrote the code says it's all just a big misunderstanding.
A lawyer for Shanghai Adups Technology Company — which claims to provide 700 million phones, cars and other smart devices — told the Times the software was designed to help a Chinese phone manufacturer monitor behavior of its users and was not intended for U.S. phones.
“This is a private company that made a mistake,” Lily Lim, a lawyer in Palo Alto, Calif., who represents Adups, told the Times.