Smartphones are ubiquitous. Everyone has one, and they come with all kinds of features. Some Android phones, though, apparently have an unwanted extra: a secret backdoor that sends all of your text messages to China.
Security contractors recently discovered the malware on some Android phone models, the New York Times reports.
The software comes preinstalled on the phone — this isn’t something users are accidentally downloading through misleading ads or the Google Play store. It’s written by the Shanghai Adups Technology Company, based in China.
Shanghai Adups says it runs the code on more than 700 million connected devices; one U.S.-based phone company, BLU Products, said it had found the code on 120,000 of its phones.
Folks who buy high-end, premium phones aren’t the ones at risk here; your current-generation Samsung Galaxy or Google Pixel device is not the problem. Customers who buy lower-cost, lower-end Android smartphones — primarily lower-income consumers — are the ones being hit.
The Adups software sends the full contents of text messages, contact lists, call logs, location information, and other data to servers in China, the NYT reports, and the existence of the software is not disclosed to users.
This glaring security hole is also unusual because it’s not a bug: the Adups software is working as intended. It’s meant to spy on users and phone home — it’s just that it’s meant to do so in China, and not in the U.S. In theory.
The CEO of BLU Products told the NYT, “It was obviously something that we were not aware of. We moved very quickly to correct it,” and added that Adups told him all the data from BLU customers had been destroyed.
The analytics firm that discovered the Adups firmware on American phones has taken its findings to the federal government and plans to release a full report this week.
Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say [New York Times]
Editor's Note: This article originally appeared on Consumerist.