A number of budget Android smartphones are suspected of sending text messages to China every 72 hours.
Security firm Kryptowire, which first reported the secret backdoor on Tuesday, blamed a firmware developed by Shanghai Adups Technology Company.
The majority of monitoring activities used Adups' Firmware Over The Air (FOTA) update system, developed in response to user demand to screen out junk texts and calls from advertisers.
"Since its founding, Adups FOTA has taken customer and user privacy very seriously," the organization said in a statement published Wednesday.
But the software, according to Kryptowire, transmits sensitive personal data without disclosure or user consent.
Tech Radar released a list of affected models from Miami-based mobile manufacturer Blu. Owners of the R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, or Energy Diamond are encouraged to check their phone by navigating to Settings > Apps > Menu > Show System > Wireless Update. If it is running 220.127.116.11.004, you're in the clear, Tech Radar said. If it reads 5.0.x to 5.3.x, however, you should contact Blu immediately.
It remains unclear how many of the handsets were sold in the US.
These devices relay information like text messages, contact lists, call history (with full telephone numbers), and unique device identifiers, Kryptowire explained. The firmware also collected details about the use of installed applications, and is able to remotely program the gadget.
Shanghai Adups, however, claims this is all a misunderstanding; a simple mistake that has since been rectified.
"In June 2016, some Blu Product, Inc. devices applied a version of the Adups FOTA application that inadvertently included the functionality of flagging junk texts and calls," the company statement said. "When Blu raised objections, Adups took immediate measures to disable that functionality on Blu phones."
It also confirmed that no information—text messages, contacts, phone logs—was disclosed, and any data received from a Blu phone during that period was deleted.
"Also, Adups has been working to further improve the privacy protections in its products. Adups sincerely apologizes to its partners and users," it continued. "We will enhance process management and work to improve transparency, and deliver high-quality products and best service to provide the best possible data security for all our customers."
Neither Google nor Blu immediately responded to PCMag's request for comment.
ZTE, meanwhile, maintains that none of its US devices "have ever had the Adups software installed on them, and will not," the mobile manufacturer told Android Headlines.