Research from security firm Kryptowire shows software installed on some cheap Android phones has been secretly sending user data – including full text messages – to a Chinese server.
The software, which also collects location data and contacts and call history, sends the information to a Chinese company called Shanghai Adups Technology every 72 hours without the owner knowing.
It has been identified on several models of Android phones that cost around £50, and are manufactured by big tech firms like Huawei, BLU Products and ZTE.
It's unclear how many phones have the software installed, but some of the manufacturers sell phones outside of China, including in the UK.
Aside from collecting and sending information, the backdoor could also be used to bypass the phone's security, allowing another party to control the device.
According to a New York Times report, the software was intentionally created and installed on the phones, after Adups was asked to do so by a Chinese manufacturer – though it claims the software was never intended for American phones; i.e. those produced by US firm BLU Products.
BLU says 120,000 of its phones were affected by the backdoor, before the company provided a software update to remove it.
The Times report also claims the backdoor affects "international customers and users of disposable or prepaid phones" most.
A lawyer for Adups, which says its software runs on more than 700 million devices, told the Times: "This is a private company that made a mistake."
It remains unclear what the user information has been used for, though there are concerns over whether it has supported surveillance efforts.
Adups has not confirmed which phones are affected by the software, but if you're in the US and have a BLU phone, you should update to the latest software ASAP.
If you're concerned you may have a phone that has the software installed, you should contact the device's manufacturer.