ZTE is currently fighting with the US government to lift a trade ban, while federal intelligence committees accuse the company of spying on US consumers. It looks like ZTE might be in even more trouble, as pre-installed malware has been found on several phones from the company. Avast Software has released details about the 'Cosiloon' malware on its blog, which has also been found on devices from Archos, Prestigio, and others.
The malware in question creates an overlay to display ads on the device, and has been active for at least three years. It consists of two APKs, the dropper (which downloads and installs the malware) and the payload (the malware itself).
Two variants of the dropper were found, with the names 'CrashService' and 'ImeMess.' Some devices even had the dropper embedded in Android's SystemUI application, hidden in the com.android.keyguard package. However, this variation is far less common.
Avast discovered over a hundred different payload versions, with the latest including ad frameworks from Google, Facebook, and Baidu. The payload disguises itself as a system application in the launcher to avoid detection. Some of the package names included 'MediaService,' 'eVideo2Service,' and 'VPlayer.'
Avast has received reports of the malware from users in over 90 countries, with the top ten over the last month being Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France, and Romania. The number of affected devices is in the hundreds, with most being budget phones or tablets with MediaTek processors. The vast majority of affected devices are not certified by Google. A detailed list of models is available here, but Avast notes that only some variations of said devices may have the malware.
Avast sent takedown requests to the domain serving payload APKs, but the server has since moved to another provider. Avast's antivirus app has been updated to detect and uninstall the payload, but due to permission restraints, it cannot disable the dropper. Google Play Protect can disable both the payload and dropper, but most of the affected devices do not have Play Protect, since they are not certified by Google.
You can find all the technical details at the source link below. In the meantime, you should double-check any budget phone or tablet you buy has been certified.