Security firm Check Point Software claims to have found 38 Android smart phones shipping with malware that has been installed somewhere along the supply chain.
And the smartphones it has fingered aren't all cheap knock-offs bashed out of shonky chop shops in China, but includes Samsung, as well as Xiaomi, Asus and Lenovo. Check Point has warned that the threat is severe.
"The Check Point Mobile Threat Prevention has recently detected a severe infection in 38 Android devices, belonging to a large telecoms company and a multinational technology company," said Oren Koriat of the Check Point mobile research team.
"While this is not unusual, one detail of the attacks stands out. In all instances, the malware was not downloaded to the device as a result of the users' use, it arrived with it.
"According to the findings, the malware was already present on the devices even before the users received them. The malicious apps were not part of the official ROM supplied by the vendor, and were added somewhere along the supply chain.
"Six of the malware instances were added by a malicious actor to the device's ROM using system privileges, meaning they couldn't be removed by the user and the device had to be re-flashed."
Check Point recommends that as a general rule people should not download applications from unusual and untrusted places, but that doesn't help much here.
More handy is the list of affected handsets, which is long, and includes Samsung models the Note 2 and 8.0, the Galaxy S4, A5 and A7, the Xiaomi Mi 4i, Oppo N3, 5 Asus Zenfone 2, Lenovo S90 and more more more.
It is not clear whether Check Point has contacted smartphone makers for an explanation, but V3 has and awaits a response.
Check Point advises: "As a general rule, users should avoid risky websites and download apps only from official and trusted app stores. However, following these guidelines is not enough to ensure their security. Pre-installed malware compromises the security even of the most careful users.
"In addition, a user who receives a device already containing malware will not be able to notice any change in the device's activity, which often occurs once a malware is installed.
"The discovery of the pre-installed malware raises some alarming issues regarding mobile security. Users could receive devices which contain backdoors or are rooted without their knowledge.
"To protect themselves from regular and pre-installed malware, users should implement advanced security measures capable of identifying and blocking any abnormality in the device's behaviour."
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all