The malware is disguised as the Google Play Store app, and cannot be removed as it is integrated into the firmware, they say. It's also undetectable by users.
"The affected model 'N9500' is produced by the Chinese manufacturer Star and looks very similar to a smartphone from a well-known manufacturer," they shared. "Large online retailers are still selling the Android device at prices ranging from 130 to 165 euros and distributing it across Europe."
The app allows criminals behind this scheme to have full access to the smartphone. It collects personal data and sends it to a server located in China, and prevents the installation of security updates.
"The spy program enables criminals to secretly install apps, which enables the whole spectrum of abuse: localisation, interception and recording, purchases, banking fraud such as theft of mobile TANs, and sending of premium SMSs.
The researchers believe that the cheap price at which the device is sold is made possible by the subsequent selling of data records stolen from the smartphone owner.
Users who have bought such a device are advised to use a security solution see whether the malware is there - G Data's solution detects the Trojan in question as Android.Trojan.Uupay.D - and if it is, to return the device to the online shop from which they bought it and ask for the money back as it's impossible to remove the malware from the phone.
UPDATE: The BBC reports that eBay has barred listings for Star 9500 smartphones until the claim that they are indeed preloaded with malware is confirmed. It's still unknown who is the manufacturer of the handset.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.