Shanghai Adups Technology Company, a technology company based in China, is accused of developing and installing spyware on budget Android devices that stole text messages and call records and sent the data back to servers in China.
The major vulnerability, which was first reported by mobile enterprise security firm Kryptowire earlier this week, reportedly transmitted the siphoned data from the compromised devices back to China every 72 hours.
The software sends personal data such as text messages, contact lists, call history and unique device identifiers back to third-party servers without disclosure or the users’ consent.
“The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges and was able to remotely reprogram the devices,” Kryptowire’s statement on the scandal said.
According to the report, the budget Android smartphones were even available through U.S. online retailers like Amazon and BestBuy. But authorities remain in the dark as to whether the information was being collected for advertising purposed or as the Chinese government’s effort to collect intelligence.
The New York Times reported that those expected to be most impacted by the exploit are international customers and users of disposable or prepaid phones.
While the scope is unclear, back in September Shanghai Adups Technology Company claimed to have over 700 million active users and a market share of more than 70 percent across 150 countries. The company’s site also stated its firmware was integrated in more than 400 leading mobile operators, semiconductor vendors and device manufacturers spanning multiple industries.