Android devices have a complicated relationship with security. Although the operating system itself and Google Pixel smartphones have shown resistance to software exploits over time, the frequent appearance of malicious applications in Google Play and the vulnerability of devices from some third-party manufacturers have somewhat tarnished Android’s reputation as a safe OS.

Now that reputation could suffer even more, as two studies at once suggest that millions of Android devices were sold with malware pre-installed that cannot be removed, reports ArsTechnica.

The first report was prepared by Trend Micro, a company specializing in cyber security. Its researchers found that up to 8.9 million smartphones from about 50 different brands were infected with malware. Researchers from the security firm Sophos called it Guerrilla. It was featured in 15 malicious apps published in the Google Play Store.

Once installed, Guerrilla opened a backdoor, forcing infected devices to regularly contact a remote command-and-control server to check for new malicious updates. Those updates collected user data that the attackers, which Trend Micro calls the Lemon Group, could sell to advertisers. After that, Guerrilla secretly installed aggressive advertising platforms that could quickly drain the battery and negatively affect the operation of the devices.

The USA became the country with the largest number of infected devices, followed by Mexico, Indonesia, Thailand, and Russia.

Guerrilla is a large platform with nearly a dozen plugins that can intercept WhatsApp users’ sessions to send spam messages, install a reverse proxy from an infected smartphone to use the network resources of the affected mobile device, and inject ads into legitimate apps.

Unfortunately, Trend Micro did not say which brands were affected, and the company did not respond to requests for that information.

A second report, published by TechCrunch, concerns several lines of Android-based TV boxes sold through Amazon with malware preloaded. These TV boxes identified as models T95 index h616, connect to a command-and-control server that can install any program the malware creators want. By default, a “click bot” is installed on the consoles, which generates advertising revenue by secretly clicking on ads in the background.

TechCrunch cites reports from researcher Daniel Milisic, who purchased one of the infected TV boxes. His findings were independently confirmed by Bill Buddington, a researcher at the Electronic Frontier Foundation.

Unfortunately, the phenomenon of Android devices being sold with pre-installed malware is not new: at least five such incidents have been reported in recent years. All affected models belonged to the budget segment.