Budget smartphones from Lenovo, Huawei, and other largely Chinese brands contain an accidental backdoor that grants intruders root access.
The confirmed affected smartphones run Chinese company MediaTek's MT6582 chipset and are exposed to unauthorised root access thanks to a debugging feature left over from development.
The Register has inquired with the company regarding which other handsets may be affected. MediaTek has chips in popular HTC, Sony, and other higher-end models.
MediaTek told Gadgets360 the flaws affect phones running Android 4.4 KitKat.
"We are aware of this issue and it has been reviewed by MediaTek's security team," the company says.
"It was mainly found in devices running Android 4.4 KitKat, due to a debug feature created for telecommunication interoperability testing in China."
Android KitKit is still the most popular version despite being first released in 2013 and superseded by the much-improved 5.0 Lollipop and 6.0 Marshmallow releases.
Some 36 percent of all Android devices connecting to Google Play as of last month run KitKat.
So Mediatek broke basic security features to have this backdoor work. Readonly properties are NOT read only! pic.twitter.com/pEjtMNpo9v— Justin Case (@jcase) January 13, 2016
The flaws mean attackers can create applications that when installed on stock phones allow evildoers to gain total control of devices.
Malicious applications often require users to manually root their devices to gain that level of access.
This creates a huge opportunity for attackers since those affected users running Android 4.4 are reasonably unlikely or unable, thanks to slack telcos and manufacturers, to apply patches.
Anyone connecting the cheap Chinese phones to the less-than-rigourously-curated third party app stores popular in China is at a significantly elevated risk of having phones compromised. ®