Some Android devices may be infected with software that tracks users’ phone calls, text messages, and other data, and then sends that information to China, according to a report on Tuesday.
The backdoor, identified by security firm Kryptowire, is a potentially serious security risk that could make it easy for affected devices to send personal information back to China and for recipients to view it without the user’s consent.
Shanghai Adups Technology (Adups), a China-based company, developed the software that is installed on unknown number of Android-based devices. The information collected by the software including copies of text messages, contact lists, call logs, and other personal user information, is automatically sent to Adups every 72 hours, Kryptowire said.
The software could also be used to remotely install software on affected devices without the user’s knowledge. Users were never asked for their consent to the data collection and sharing, according to Kryptowire.
Get Data Sheet, Fortune’s technology newsletter
Adups develops firmware, a kind of software that smartphone manufacturers use to update devices remotely. On its site, Adups says it works with more than 400 manufacturers, smartphone makers, and other companies worldwide.
Kryptowire says Adups’ technology is running on more than 700 million devices worldwide. Most of Adups’ clients are small Chinese device makers, although it does have major Chinese manufacturers like ZTE among its clients.
Adups, which acknowledged creating the software, says it was designed for a Chinese manufacturer that wanted the call logs, text messages, and other information to help it with customer support. In a statement to The New York Times, Adups attorney Lily Lim wouldn’t say which manufacturer requested the software and didn’t say how many phones may be affected.
Although said to be made for one company, the software made its way to at least one other of Adups’ clients, according to Kryptowire. The security firm says it discovered the backdoor on a device sold by Florida-based smartphone maker BLU Products, which sells its devices in the U.S. on Amazon.
Kryptowire said it quickly sent its findings to BLU Products, which worked with Adups to have the backdoor removed from its devices. Approximately 120,000 BLU smartphones had the software.
“BLU Products has identified and has quickly removed a recent security issue caused by a third-party application which had been collecting unauthorized personal data in the form of text messages, call logs, and contacts from customers using a limited number of BLU mobile devices,” BLU Products said in a statement. “Our customer’s privacy and security are of the upmost (sic) importance and priority. The affected application has since been self-updated and the functionality verified to be no longer collecting or sending this information.”
For more about Android, watch:
While Adups’ attorney Lim calls the backdoor’s in BLU’s devices a “mistake,” it’s unclear whether other manufacturers were also affected. The extent to which information was collected on other devices from other manufacturers is unknown.
Google (GOOGL), the creator of the Android operating system, says it’s working with all affected parties to fix the problem. However, Google also says that it does not know the details about how widely Adups distributed its software.
“We appreciate Kryptowire’s work to help keep mobile users safe,” a Google spokesperson said in a statement. “We have been in close contact with the various companies Kryptowire mentions in their research, we’re helping them take any appropriate actions, and we’re exploring any additional technical solutions we can offer as well. None of the information that was leaked in the issues described by Kryptowire was collected by Google.”
Adups did not immediately respond to a request for comment.