Security researchers have discovered code in Android smartphone firmware that collects users' sensitive personal information without their consent or knowledge and sends it to third-party servers in China.
American security vendor Kryptowire said it found the code in the firmware on budget Android devices from large American online retailers Amazon and Best Buy, among others.
The code was included in updates from Chinese firmware over the air (FOTA) company Shanghai Adups, and was also found in devices from US vendor BLU.
Adups supplies software to smartphone makers ZTE and Huawei and claims 700 million active users.
According to Kryptowire's analysis, the code would send all a users' text messages using the secure HTTPS protocol to a server in Shanghai.
Users' contacts databases, call history with full phone numbers, and the International Mobile Subscriber and Mobile Equipment Identity (IMSI/IMEI) unique device identifiers were also transmitted.
Specific users and text messages could be targeted by the code, which could also record which apps users activated, software versions, fine-grained location information, and more.
Some data would be collected every 24 hours. Text messages were collated and sent every 72 hours, Kryptowire said.
As the OTA-delivered code in the Adups managed firmware was whitelisted by Android, it bypassed the operating system's permission model and could run remotely-issued commands with full system privileges.
The code is also able to install apps and remotely re-program Android devices. It is transparent to users, with no interaction needed or permissions sought.
Kryptowire said it had notified Google, Amazon, BLU and Adups about the issue.
BLU told the New York Times it was not aware of the code, and claimed Adups told it that the software was written for an unnamed Chinese vendor that wanted to use the information to improve its customer support.
Adups confirmed the existence of the firmware and said it was designed as an anti-spam and telemarketer solution.
"In response to user demand to screen out junk texts and calls from advertisers, our client asked Adups to provide a way to flag junk texts and calls for users. We developed a solution for Adups FOTA application," Adups said.
"The customised version collects messages to identify junk texts using back-end aggregated data analysis in order to improve mobile phone experience.
"Adups FOTA application flags texts containing certain language associated with junk texts, and flags numbers associated with junk calls and not in a user’s contacts."
A US lawyer representing Adups said the code was installed on American phones by mistake in June this year, and was only intended for the Chinese market.
BLU said 120,000 of its devices were affected, and would be updated to remove the user data transmission feature.