Pre-installed malware is definitely not one of the reasons you bought your current Android smartphone or tablet, but if you own several ZTE devices, Archos and myPhone, then you also have malware on board.
The news comes from Avast, which found a type of adware malware that simply loads ads in its browser. It is not the most harmful attack that can be found on a smartphone, but without a known solution that is not a sledgehammer, it is undoubtedly the most persistent.
Avast specifically called these manufacturers in an announcement, saying that most devices are not certified by Google. Several hundred models are affected, but most of them are tablets. And most of them are powered by MediaTek chips.
The name of the adware is called Cosiloon, and what it does is create an ad on the web page that could be loading in your browser. The adware has been active for about three years, and it is difficult to remove, apparently, since it is installed at the firmware level "and uses strong obfuscation".
Avast identified some 18,000 devices infected by malware in more than 100 countries, including Russia, Italy, Germany, the United Kingdom, Ukraine, Portugal, Venezuela, Greece, France and Romania.
Google was also notified of the problems, and is working to mitigate the problems, but even Google can not deal with the applications as long as they are pre-installed on the devices. Google apparently contacted the developers to raise awareness about the matter.
Avast discovered these "dropper" applications within the file system of applications preinstalled on a device. This variant is a passive application visible in the list of applications of the system in "configuration". These eyedroppers can download a manifest from certain servers, which contains more instructions on what to download on the phone.
The dropper downloads a second APK application and installed on the device. Users can not uninstall the droppers as they are integrated in the firmware.
A second dropper version is embedded in SystemUI.apk, which is part of the Android operating system, which makes it even more difficult to remove.  The payload that any of the droppers can install is apparently "very obfuscated and very complex". It can even detect if it is used in an antivirus emulator, in which case it will retain its actions. If necessary, it can be updated by obtaining the appropriate files from a server.
When activated, the upload delivers ads to various applications and games. Needless to say, you should avoid clicking on any of those ads (see examples in the screenshots above).
Avast says it can detect the payload and uninstall it, but it can not do anything with the eyedropper integrated into the system. If you want to read more about your findings, check this link. Here you can find a list of the affected devices.