UPDATE: ZTE USA has provided Tech Times an official statement regarding the issue:
"We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected."
ORIGINAL STORY: Firmware pre-installed on some budget U.S. Android smartphones have been found to relay sensitive information to a third-party company in China, according to reports.
Security firm Kryptowire published an analysis pinning several entry-level smartphones sold in the United States that stockpiled sensitive personal data without due consent of the users.
The smartphones in question were made available on several online retailers such as Amazon, Best Buy and elsewhere. One such smartphone was the $50 Blu R1 HD, according to Kryptowire.
Types Of Sensitive Information Sent
The analysis confirms that text messages, call logs containing full contact numbers and contact lists were among the roster of inappropriately relayed information to China. Unique device identifiers such as International Mobile Subscriber Identity, or IMSI and the International Mobile Equipment Identity, or IMEI were also shared.
Furthermore, the firmware installed on the smartphones were said to administer some sort of filtration system, which is able to send over sensitive information pulled from relevant keywords or matching terms. App usage was also monitored and then transmitted to the receiving end.
A full list of affected smartphones have not been published, or is not purported to be available, at least as of this time. However, Kryptowire confirms that the series of activities include bypassing Android's permission model, executing remote commands that eclipsed standard system privileges and remotely reprogramming the devices, all of which were back-channeled sans notification.
Where The Information Was Sent
Kryptowire was able to trace the activity to Shanghai Adups Technology Co. Ltd, a firmware software update company in China.
It had fleshed out a secret conduit that amassed massive personal information in order to aid a Chinese phonemaker track the behavior of its customers for customer support purposes. On its website, Adups claims that it pushes out software updates to more than 700 devices globally, including smartphones, tablets, automobiles and other wearable devices. The company also provides software to China-based ZTE and Huawei.
The company says that the data transmission was designed as a specific feature for Chinese smartphones but was erroneously integrated in the software that came with entry-level smartphones sold in the United States, including the Blu R1 HD.
A lawyer for Adups has spoken to the New York Times, calling the data transmission "a mistake."
Furthermore, the company behind the Blu R1 HD has assured users that all the information collected by Adups has now been destroyed.
"It was obviously something that we were not aware of. We moved very quickly to correct it," Samuel Ohev-Zion, chief executive of Blu Products, said.
Ohev-Zion is confident that the problem has been ironed for owners of the Blu R1 HD, promising that not one unit remains actively collecting information at present.
Meanwhile, the Department of Homeland Security is currently in talks with its public and private sectors to look into proper mitigation strategies for the reported incident.