According to Norwegian security firm Mnemonic, the backdoor is not a bug, but a deliberate, hidden feature.
More than 350,000 watches have been sold so far and to be fair it is the sort of cock-up we expect from remote gizmos.
However Harrison Sand and Erlend Leiknes in a report insist it is deliberate.
"It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch."
The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has been done.
The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity, with an associated phone number. Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch.
Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns.
With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot.
Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools.
Basically this means that ordinary people can't be hacked by the manufacturer under orders from Beijing or opportunistic miscreants. It might be an issue for some.