Kryptowire, the security firm that discovered the
vulnerability, said the Adups software transmitted the full
contents of text messages, contact lists, call logs, location
information and other data to a Chinese server. The code comes
preinstalled on phones and the surveillance is not disclosed
to users, said Tom Karygiannis, a vice president of
Kryptowire, which is based in Fairfax, Va. “Even if you wanted
to, you wouldn’t have known about it,” he said. Security
experts frequently discover vulnerabilities in consumer
electronics, but this case is exceptional. It was not a bug.
Rather, Adups intentionally designed the software to help a
Chinese phone manufacturer monitor user behavior, according to
a document that Adups provided to explain the problem to BLU
executives. That version of the software was not intended for
American phones, the company said.