If you want to buy a cheap Android phones, one way is to go to some Chinese e-retailers and purchase the phone that matches your requirements. Most phones will work reasonably well, but one thing that’s common to most/all Chinese manufacturers is lack of firmware updates and concerns for security. So you may only get 2 or 3 firmware update during the lifetime of your phone, if any, and usually the Android security patch is rather old.
But Dr.Web discovered several Android smartphone models that ships with a Trojan (Android.Triada.231), in other words, the stock firmware is already infected with malware. The company found over 40 injected models, but the list may still grow
Android.Triada trojans infect the Zygote process, which is used to launch all applications in Android. Once the module is infected, it becomes possible to download and launch software without the user’s knowledge. The 231 variant of Android Triada is injected into libandroid_runtime.so system library, not distributed as a separate program, and that way it’s easier to penetrate the device firmware during production.
The company contacted the manufacturers of injected devices – such as Leagoo, Cubot, Zopo, Doogee, Cherry Mobile, and other lesser known vendors – about this issue last summer, but some models are still shipped with infected firmware. After researching the source of the malware on Leagoo M9 smartphones in particular, Doctor Web security researchers showed the Trojan’s penetration happened at the request of a Shanghai based software development company, that provided instructions to Leagoo in order to add third-party code into system libraries before compilation. Leagoo may not have thought much of it, build the firmware with that code, and shipped it to customers.
To check for infection you can install and run Dr.Web Security Space with a full scan. I installed it with a 14-day trial license on Xiaomi Mi A1, and the phone is clean. As an Android One phone, it’d better be! In case, you are infected, the app can remove the Trojan as long as your phone is rooted. If it is not, you’ll have to ask the manufacturer or seller for a clean firmware.
Thanks to TLS & tkaiser for the tip