Without your knowledge or consent, phones manufactured by Huawei and ZTE have been secretly sending your text messages to a server in China. According to The New York Times, security contractors from Kryptowire discovered preinstalled spyware capable of monitoring where a user goes, who they talk to, and even what’s written in text messages.
The New York Times said international customers and users of disposable or prepaid phones are most affected by the spyware. Adups Technology’s revealed its code reportedly runs on more than 700 million phones, cars and other smart devices, including handsets manufactured by BLU Products, a Miami-based company. BLU was one of the companies Amazon tapped to make its “Prime Exclusive” devices, which retailed for just $49.
“Even if you wanted to, you wouldn’t have known about it,” said Karygiannis in an interview with The New York Times.
The software, created by Shanghai Adups Technology, is reportedly considered a “feature,” not a vulnerability, according to Krytowire vice president of product Tom Karygiannis. It’s unclear if the software was designed to data mine for advertising or if it’s a Chinese government program to collect intelligence.
BLU issued a statement saying it has already issued an update to patch the issue.
“BLU Products has identified and has quickly removed a recent security issue caused by a third party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices.”
What other information is being sent overseas?
According to Adups, the software, which was intentionally designed to monitor users, was never intended for American phones. And, yet, BLU devices were affected. It’s unclear how deep the rabbit hole goes.
As The Verge notes, HTC encountered a similar issue in 2013, resulting in the company settling with the FTC. According to Karygiannis, the software made by Adups is “far more extensive.”
The NYT’s report says the software was written at the request of a Chinese manufacturer that wanted to store call logs and other information. Adups claims there was nothing malicious about the software; the company simply wanted to use the data for customer support.
Whether or not that’s true is unclear. But now that this issue has come to light, it probably isn’t the last time we’ll hear about it.
Update: Huawei has released a statement responding to The New York Times’ report.
Huawei takes our customers’ privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.
ZTE also reached out with a statement.
We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.