Smartphones sold in the U.S. have been secretly collecting user data and sending it to servers in Shanghai.
The findings, announced this week by security firm Kryptowire, have raised questions about how users can keep the secrets stored on their smartphones from being siphoned away without their knowledge.
Most smartphone owners don't have anything to worry about right now. The Chinese company responsible for the software said the problem is limited to 120,000 phones sold by Blu Products, which offers cheap, unlocked Android smartphones at retailers including Amazon (AMZN) and Best Buy (BBY).
But the details of the incident are troubling. User data including text messages, call logs and contacts were being sent from the U.S. to China at regular 72-hour intervals, according to Kryptowire. The personal information was being sent without permission.
The software in question has been traced to Shanghai Adups Technology. In a statement, Adups said that the sensitive data it collected was kept private and eventually deleted.
But how can consumers protect themselves against this kind of invasion of privacy? Unless you happen to be a computer science whiz, identifying all the ways your phone is using personal data can be very difficult.
"For the average consumer it's not something that is obvious," said Kryptowire vice president Tom Karygiannis.
Owners of compromised Blu Android smartphones are able to visit the company's website and follow a six-step process to make sure their data is no longer being secretly harvested.
More technically sophisticated Android users can look at what comes installed on a smartphone's system image and inspect the applications, but this can be a very complicated process. (Kryptowire engineer Ryan Johnson describes how he found the vulnerability in this podcast.)
Related: Android phones are easier for police to crack than iPhones
Analysts say this kind of data vulnerability is becoming more common.
"We were not surprised that it happened, but we are definitely interested in knowing how widespread this problem is," Karygiannis said. Adups' software is used in 700 million smart devices worldwide.
Consumers who buy low-cost smartphones with questionable supply chains are particularly at risk.
"This is a bit terrifying, especially when you consider how much information and access these devices have," said Bryce Boland, Chief Technology Officer for Asia Pacific at FireEye. "For most people, their phones ... hold a tremendous amount of personal information."
Cybersecurity expert Dimitri Sirota, CEO of BigID, recommends users stick to more established smartphone makers.
"It's always better to get a brand that stands behind its brand, and has a brand reputation to protect," said Sirota.
Smartphone maker Xiaomi was caught up in a related problem in 2014 after a private security firm discovered it had been collecting information from users' address books without permission and storing it on remote servers.