Some Android phones have been found to carry data collection software that sends all the text messages on the phone to China every 72 hours.
The New York Times investigated reports security contractors had discovered preinstalled software in Android phones that monitors where users go, who they talk to and what they write in text messages.
The Times found a Chinese company wrote the software and American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
Kryptowire, the security firm that discovered the vulnerability, said the software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server.
The scope of how many Android phones were affected by the software was unclear, the Times reported.
According to Adups, the company behind the software, website, it provides software to two of the largest cellphone manufacturers in the world, ZTE and Huawei. Both are based in China.
A spokesperson for Huawei said the company took its customers' privacy and "security very seriously" and that it works "diligently to safeguard that privacy and security".
"The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them," the company said.
One American phone manufacturer, BLU Products, told the Times 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.
A Google official told the Times the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store.
The Times reported Kryptowire discovered the problem when a researcher bought an inexpensive phone, the BLU R1 HD, for a trip overseas. While setting up the phone, he noticed unusual network activity and analysts noticed that the phone was transmitting text messages to a server in Shanghai and was registered to Adups.