Pre-installed software on some Android phones from a developer contracted to develop the software for an undisclosed Chinese manufacturer sends the contents of text messages composed on the device, in addition to other user metadata, to a server in China.
Security researchers Kryptowire discovered the software that sends user locations, contacts, and text messages to a server once every 72 hours when connected to Wi-Fi. The code is on 700 million phones, according to developer Shanghai Adups Technology.
U.S. manufacturer BLU Products says that 120,000 of its phones have the software installed, and that it has recently updated the software to eliminate the monitoring.
According to Shanghai Adups Technology, the software installed on BLU's phones was a "mistake" and the package was never intended for phones destined for the U.S. According to the developer, the software was created at the request of an undisclosed Chinese phone manufacturer ostensibly to assist with customer support and tracking down junk text messages and unwanted phone calls.
It is not clear how many phones internationally have the monitoring software installed, and Shanghai Adups Technology refuses to say what manufacturers have bought the software. ZTE and Huawei currently use software from the developer as well.
Update: According to a statement issued by ZTE on the matter, the company has not installed the software on any U.S. devices.
The Department of Homeland Security has been advised of the situation, and is "working with our public and private sector partners to identify appropriate mitigation strategies," according to the New York Times.
BLU Products also makes an array of iOS accessories and cases, unaffected by the monitoring package. More than 30 million BLU devices have been sold in 40 countries, according to the company. BLU is also currently being sued by BlackBerry for alleged violation of eight patents belonging to the Canadian manufacturer.