Buying an inexpensive Android phone or tablet can be tempting, but ultra-cheap or off-brand devices sometimes come with unwanted software already baked into the system image. In the worst cases, that can include malware (such as newly reported families found pre-installed on budget devices). Because pre-installed threats may run with elevated permissions, you should treat setup, updates, and app installs more carefully than usual.

Before you buy: reduce the odds of getting a compromised device

  • Prefer reputable brands and authorized sellers. Marketplace listings and unknown importers can increase supply-chain risk.
  • Check for Play Protect certification. Look for “Play Protect certified” in the Play Store settings on the device (or confirm the model is certified before purchase if possible).
  • Be skeptical of “too good to be true” specs. Extremely low prices paired with high-end specs can be a red flag for cloned or heavily modified firmware.

First boot checklist (do this before signing into Google or banking apps)

  1. Connect to a trusted network (home Wi‑Fi or your hotspot). Avoid public Wi‑Fi during initial setup.
  2. Update Android and system components immediately.
    • Go to Settings → System → System update (wording varies) and install all updates.
    • Update Google Play system updates (often under Settings → Security).
  3. Update the Play Store and run Play Protect.
    • Open Play Store → your profile → Play ProtectScan.
    • Enable “Scan apps with Play Protect” if it’s off.
  4. Review pre-installed apps before adding accounts. Unfamiliar “Device Manager,” “Updater,” “Cleaner,” “Security,” or ad-heavy apps deserve extra scrutiny.
  5. Delay restoring full backups until you’re confident the device is clean; restore only essential items first.

Signs a device may have pre-installed malware

  • Unexpected ads on the home screen or notifications you didn’t subscribe to.
  • Strange battery drain or overheating while idle.
  • Data usage spikes without obvious cause.
  • Apps you can’t uninstall that request broad permissions (SMS, Accessibility, Device admin, Notification access).
  • Security settings blocked (e.g., you can’t enable Play Protect or install updates).

How to investigate: quick, practical checks

  1. Check Device Admin apps. Go to Settings → Security → Device admin apps and disable anything you don’t recognize (if safe to do so).
  2. Check Accessibility and Notification access.
    • Settings → Accessibility: turn off suspicious services.
    • Settings → Apps → Special access → Notification access (or similar): revoke for unknown apps.
  3. Review installed apps list. Sort by last installed/updated and look for apps with generic names or no icon.
  4. Run a reputable mobile security scan. Use a well-known vendor from the Play Store and scan the full device.
  5. Inspect network behavior. In Settings → Network & internet → Data usage, identify apps consuming data in the background.

How to remove suspicious apps (when possible)

  • Uninstall normally first. Settings → Apps → (app) → Uninstall.
  • If uninstall is blocked, remove elevated privileges. Disable Device Admin / Accessibility permissions, then retry uninstall.
  • Disable bloat you can’t remove. If an app is system-level and won’t uninstall, tap Disable (if available) and revoke its permissions.

If you suspect the malware is in the firmware (the hardest case)

Some pre-installed threats persist because they’re embedded in the system image. In that situation, basic uninstall steps may not fully resolve the problem.

  1. Back up only what you must (photos/documents), not a full system/app restore.
  2. Factory reset (Settings → System → Reset options → Erase all data). Then set up minimally and re-check for symptoms before logging into sensitive accounts.
  3. Install updates again immediately after the reset and re-run Play Protect/security scans.
  4. Consider returning the device. If suspicious apps reappear after a clean reset and updates, treat it as a device integrity problem.
  5. Advanced option: re-flash official firmware (only if you know what you’re doing). Use official images/tools from the manufacturer where available; avoid random ROM downloads.

Account safety: what to do if you already signed in

  • Change passwords for your Google account and any accounts used on the device.
  • Enable 2FA (prefer passkeys or an authenticator app over SMS where possible).
  • Review account sessions and devices in your Google security dashboard and sign out unknown devices.
  • Check financial apps for new payees, transfers, or linked devices; contact your bank if anything looks off.

Long-term habits that keep Android safer

  • Install apps only from trusted sources (Play Store) and avoid third-party APK sites.
  • Keep OS and apps updated and don’t postpone security patches.
  • Limit permissions (especially Accessibility, SMS, and “Install unknown apps”).
  • Use a separate, low-risk Google account for testing a new device before signing into your primary account.

Bottom line: If a bargain Android device behaves suspiciously out of the box, prioritize updates and scans before logging into sensitive services. If problems persist after a reset and updates, returning the device is often the safest and fastest fix.