More than 8 out of every 10 smartphone users worldwide use Android phones as of the second quarter of 2016, according to IDC’s analysis. While Samsung and other key players account for the lion’s share of the market, lesser-known companies manufacture many of these Android phones collectively. Some of these devices are unheard of, probably because they are inexpensive or they simply do not appear in flashy ads, but a huge number of budget Android phones are suspected of sending text messages to China every 72 hours, according to a discovery by security firm Kryptowire.

Analysts at Kryptowire found that a firmware running in an uncharted number of Android handsets is responsible for the transmission of personal data including location, call logs and text messages to a server in China. The backdoor software is developed by Shanghai Adups Technology Company, and is supposedly pre-installed in more than 700 million connected devices including smartphones. It remains unclear, however, how many devices exactly are affected by the software or how many of those phones are sold in the United States. The Adups software also comes pre-loaded to the phones manufactured by ZTE and Huawei, which is alarming given that Chinese phone makers continue to gain traction in the current smartphone race. Tom Karygiannis, vice president at Kryptowire, reveals that the Adups firmware is designed to send the personal information of users to China beyond the users’ knowledge. It is not clear, though, whether the software is being used as part of data mining for advertising purposes or as a way to spy on individuals worldwide.

Adups was quick to clarify that it is by no means connected to the Chinese government and that its software is developed to help a Chinese phone maker keep track of user behavior. That means there is no bug in the firmware and Adups said that version of the software was never meant for phones in the U.S. It is not known as of this time how to determine if a phone contains the backdoor, but U.S. consumers who use prepaid phones are supposedly affected by it, though there is no exact figure for that yet. BLU Products, a U.S. phone manufacturer based out of Miami, disclosed that 120,000 of its devices have been affected, though the backdoor functionality was already removed from those phones through a new update.


Update:

ZTE USA has confirmed that none of their smartphones in the U.S. have ever been affected by Adups, and that they never will be.

Update 2:


Huawei has also issued an official statement about Adups saying that "Huawei takes our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them."