More than two dozen cheap Androids have been found to host pre-installed malicious apps capable of downloading persistent adware and making phone calls.
The phones, which include Lenovo's A6000 and A319, were discovered bearing the pre-installed malicious apps by security researchers with antivirus firm Dr Web.
Dr Web reckons resellers and firms in the supply chain are to blame.
It says there are likely to be many more compromised handsets bearing the apps capable of quietly downloading various trojans from remote servers.
Most of the downloads appear to be adware, a class of malware more irritating than dangerous, other than to the wallet of those who end up paying excess data charges. Mobile adware mostly strikes in China and Russia.
Entire companies have been found pushing advertising malware apps onto devices, ignoring the option to steal passwords and data using the acquired root privileges.
One firm based in Xingdu, China, was this year fingered for slinging the Hummingbad malware and was said to be making $US300,000 a month through some 10 million infected devices.
Dr Web's researchers described a trojan which activates on boot and connects to its command and control to download configuration files when a WiFi connection is established.
"The file contains information about the application that the trojan should download [and] covertly install," the researchers said.
"Android.DownLoader.473.origin actively distributes the advertising program H5GameCenter that is detected by Dr.Web as Adware.AdBox.1.origin [which] displays a small box image on top of running applications that cannot be removed from the screen."
Affected devices include the following handsets:
- MegaFon Login 4 LTE
- Irbis TZ85
- Irbis TX97
- Irbis TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad PMT5001 3G
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- 7 MID
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- Irbis tz70
- Irbis tz56
- Jeka JK103
- Lenovo A6000
- Lenovo A319
Trojans found on Lenovo A319 and A6000 devices classified as Android.Sprovider.7 are built into the Rambla application providing access to an Android software catalog by the same name.
Its unencrypted payload executes functions including the ability to download and install Android installation apps, open browser links, call dedicated phone numbers, throw top-of-screen ads, and update its main malware module.
"Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users," the researchers say. ®