Mobile security is a huge issue, but most consumers tend to think that at least a brand new phone is safe. That assumption may be in error, according to security research firm Kryptowire. In a new report Kryptowire documents the inclusion of software tools collectively called Adups, which allegedly shipped on phones like the Blu R1 HD and other devices sold internationally, including the US market via Amazon and Best Buy.

If true, the report is a damning accusation for the software's creator Shanghai Adups Technology and its manufacturer and carrier partners. Kryptowire claims that Adups has the capability to collect IMEI data, SMS logs and contents, call logs, contact names, and IP addresses, then send the data back to third party servers in China without notification or permission from users. Said data was collected and encrypted every 24 to 72 hours in the testing phase, then transmitted to two specific IP addresses owned by Adups. Even worse, the software can remotely install new applications with system-level permissions.

Adups bills itself as a company that supplies services for over-the-air software delivery. Though Adups does not exclusively service cell phones (its marketing material includes connected cars, home monitoring equipment, retail sales software, and wearable tech), it claims 700 million active users in over 200 countries. The remote backup and install capabilities of the Adups software aren't unheard of, but they're generally available only to manufacturers and carriers, and aren't usually paired with access to personally identifiable information like contact names.

Kryptowire's findings have not been independently verified, and a full list of affected devices has not been posted. If you wish to check your own device, the APK files reportedly responsible for transmitting data and remotely accessing hardware are "com.adups.fota" and "com.adups.fota.sysoper." Kryptowire's report says that Google, Amazon, Blu, and Adups have been alerted to its contents. Ars Technica reports that Blu has already patched the affected devices and that the software is no longer transmitting personal information.