A few lucky customers have bought the new, extremely hyped OnePlus 2 without the official invite. Unfortunately, these consumers received something they did not expect: OnePlus 2s with pre-loaded malware.

Geektime recently discovered that a OnePlus 2 phone sold through KSP, one of Israel’s largest digital stores, had pre-installed malware, implicating that thousands of OnePlus 2 phones sold without direct invites may be infected. The source, whose information Geektime independently verified, bought the phone in early September through one of the largest electronics chains in Israel with no idea that KSP purchased these phones from a third party seller rather than OnePlus itself.

The source was motivated to employ anti-virus software after noticing that when he used Google Chrome, he was sent to a site called “global.ymtracker” or other sites with the name “tracker” in them for several seconds before reaching the address he put into the search engine.

After running AVG anti-virus software on his device, he found the malware. The AVG app discovered four potential threats: two of which were in applications he could uninstall, and the other two were on pre-installed OnePlus 2 apps “Browser” and “Fun Weather.” They were classified as potential sources of unwanted harm. He then clicked to get more information, which showed that, “In the past 7 days, both Browser and Fun Weather were linked to four cases of malware,” with different names of the viruses that they were linked to. However, the source couldn’t uninstall the apps because they were pre-installed on the device without any ability to remove them.

When Geektime reached out to the OnePlus support forum, an administrator replied that “neither of those apps come installed on a global device running OxygenOS bought directly” from OnePlus and official distributors.

Taking advice from a OnePlus owner’s Reddit thread, who had experienced similar problems after buying the phone from Gearbest in the U.S., he reinstalled his entire operating system, which ultimately got rid of the malware.

OnePlus’ and Israel’s official OnePlus distributor’s comments

Both OnePlus and Israel’s official OnePlus distributor, C-DATA, told Geektime that they do not recommend buying OnePlus products through unofficial retailers. When asked about the malware infected phone bought from a KSP store, OnePlus replied, “We do not condone users to buy our products through unofficial sources. In Israel, C-DATA is the only official distributor for OnePlus.” C-DATA in turn told Geektime, “C-DATA is the official distributor of OnePlus products in Israel. Our company is in cooperation with OnePlus to launch OnePlus 2 in the month of October in Israel.”

How our reporting saved future KSP customers from corrupted phones

In the end, KSP informed Geektime that they bought the OnePlus 2 phones not from C-DATA, but from a retailer called MOBILE BD. After our request for comment, they told MOBILE BD, whole did their own check and found the same cases of malware. KSP will stop selling the phones, get new, clean OnePlus 2s from MOBILE BD, and MOBILE BD will guide customers that bought the malware-infected phones how to install a new version: They encourage affected customers to call them at 03-919-9888.

A warning to anyone buying any smartphone, anywhere: If it’s not sold through an official distributor, the phone could have pre-installed malware

Not only did KSP, which has more than 45 branches across Israel, sell corrupted phones, online stores such as eBay and Amazon have also been caught selling Chinese smartphones pre-loaded with malware that steal users’ personal data. In 2014, Hacker News reported that the Sony Xperia Z3 and Z3 Compact, HTC One M7, HTC One X, and OnePlus One all had buyers that documented spyware.

It is unclear who in the supply chain corrupts the phone: the manufacturers themselves (though that seems unlikely), the third party retailers, or someone else who places malware somewhere in the production line.

What can customers do to make sure that they do not buy a smartphone with pre-installed malware?

Find out who the smartphone’s official distributor is in your country of purchase. Only buy a phone with stores that partner with this company. This will probably require asking the store directly if they work with with the official partner since they may publicize that they are a seller of the brand at hand without detailing who their distributor is, such as on KSP’s website.

In general, be suspicious of especially good deals from retail outlets or online sites that give you better prices on new phones than what you see elsewhere. And if you think you can get an early OnePlus 2 without an invite, you have officially been warned.