Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used.

The company, Shanghai AdUps Technologies, had apparently designed the backdoor to help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes. AdUps claims its software runs updates for more than 700 million devices worldwide, including smartphones, tablets, and automobile entertainment systems. The surveillance feature of the software was developed specifically for the Chinese market, the company says, and was unintentionally included in the software for BLU devices.

[Update, November 16 10:00am] While Kryptowire reported that Adups' software was used on Huawei and ZTE handsets in China, a Huawei representative told Ars:

Huawei takes our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them.

A lawyer for the company told The New York Times that the data was not being collected for the Chinese government, stating, “This is a private company that made a mistake.”

The backdoor was part of the commercial Firmware Over The Air (FOTA) update software installed on BLU Android devices provided as a service to BLU by AdUps. In a report on the finding, a Kryptowire spokesperson said:

These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices... The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information.

The transmissions were discovered by Kryptowire in lab testing. The company immediately notified Google, BLU, AdUps, and Amazon—which is the exclusive retailer of the BLU R1 HD—of its findings.

The user data was sent in JavaScript Object Notation (JSON) format to a number of servers, all with the hostname bigdata: bigdata.adups.com, bigdata.adsunflower.com, bigdata.adfuture.cn, and bigdata.advmob.cn. The data collection and transmission capability is spread across different applications and files. Text message data (encrypted with DES, which Kryptowire researchers were able to recover the key for) and call log information were sent back every 72 hours. Other data, including location data and app use, was sent every 24 hours.

A BLU spokesperson told Ars that the software backdoor affected a “limited number of BLU devices” and that the “affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.” According to The New York Times report, BLU reported about 120,000 devices were affected and patched.