Certain Android phones (including some from ZTE) have malware pre-installed at the firmware level
According to a report published by Avast Threat Labs, several hundred Android handsets made by ZTE, Archos and myPhone come pre-installed with malware called "Cosiloon." The malware displays an ad in the form of an overlay on the user's default browser. And since it is installed on the firmware level, it is very hard to remove. The good news is that most of these phones are not used by U.S. consumers as they are not certified by Google, and are powered by MediaTek chipsets.
Avast has spoken with Google about "Cosiloon" and the company has been able to reduce the capabilities of the malware on several models. To make sure that there is some kind of protection in the future, Google Play Protect has been updated. And Google has spoken with developers to inform them of the problem, and to motivate them to come up with ways to combat this malware.
source: AdvastThreatLabs