Blu’s unlocked Android smartphones are a noteworthy bargain, offering decent hardware in a range of models for between $50 – $110 across the US and Latin America. Unfortunately, they’re not so great when it comes to privacy.

US-based security firm Kryptowire said that it discovered firmware in several Blu phones that beamed across users’ text messages, contact lists, call history and device information to a server in Shanghai, without their knowledge or permission.

Said firmware also allowed for remotely installing apps on users’ devices and collecting location data.

How did this happen? Blu used a third-party software system to deliver over-the-air (OTA) updates to its handsets, which came from a Chinese company called Shanghai Adups Technology; Adups claims ZTE and Huawei among its list of clients.

The service provider bundled tools to collect data from users’ phones and transmit it back to its own server for customer support, and to identify junk messages and calls. It had developed this custom software for a separate Chinese device manufacturer.

Somehow, it ended up in the firmware meant for smartphones shipped by Blu to its customers in the US, of which about 120,000 devices were affected. Blu told The New York Times it wasn’t aware of the issue prior to Kryptowire’s revelation.

Blu has since published a statement claiming that it’s identified and removed the surveillance software, and told NYT that Adups has assured the company that all collected data has been destroyed. However, the damage to the smartphone manufacturer’s reputation, and to that of Chinese electronics brands at large, will be hard to fix.

Kryptowire Discovered Mobile Phone Firmware That Transmitted Personally Identifiable Information (PII) Without User Consent Or Disclosure on PR Newswire

Read next: It's a good thing Nokia didn't go ahead with its Moonraker smartwatch