Researchers have discovered what has been determined to be Chinese malware pre-loaded onto several bargain smartphones being sold in in Asian and African countries. The fact that it's pre-loaded ensures that it cannot be uninstalled by the end user or by antimalware software.

The trojan, aka DeathRing, masquerades as a ringtone app, but instead can download SMS and WAP content from its command and control server to the victim’s phone. It can then use this content for malicious means.

The malware is activated in two ways — both dependent on the victim’s use of the phone. First, the malware will activate if the phone is powered down and rebooted five times. On the fifth reboot, the malware starts.
Second, the malicious service will start after the victim has been away and present at the device at least fifty times.

Affected phones:

Counterfeit Samsung GS4/Note II

A variety of TECNO devices

Gionee Gpad G1

Gionee GN708W

Gionee GN800

Polytron Rocket S2350

Hi-Tech Amaze Tab

Karbonn TA-FONE A34/A37

Jiayu G4S – Galaxy S4 clones,

Haier H7

a i9502+ Samsung clone by an unspecified manufacturer

There is no indication of where in the supply chain the malware was introduced, but Lookout notes that it was loaded in the system directory of the devices.

Source: Lookout