Firmware on some Android phones has been detected collecting user data and transmitting it to third-party servers in China, according to mobile security firm Kryptowire.
Without users being aware, the Android devices, sold in the U.S. at major retailers, transmitted user and device information, including text messages, contact lists, call history (with full telephone numbers), and unique device identifiers, the researchers found. Not only that, but the firmware was also able to send information on the apps used and it could remotely reprogram devices. This meant that applications could be loaded onto devices from remote locations without a user's permission.
Basing their findings on both code and network analysis of the firmware, the researchers said the culprit was Shanghai Adups Technology Co. Ltd., a Shanghai-based company that provides professional Firmware Over-The-Air (FOTA) update services.
On being advised of this activity, one of the companies affected, BLU Products, issued a notice that it had removed the capability from its devices.