Some are severe, like the Essential Phone, which had a vulnerability allowing an attacker to pull off a factory reset. The flaw comes thanks to a pre-installed app with a file name "com.ts.android.hiddenmenu." Any app on the device could access that pre-installed app, and use it to reach the Essential Phone's system and wipe out all the data stored on it, Stavrou said.

Other vulnerabilities, like the ones on ASUS's ZenFone 3 Max, allow for apps to install any other app over the internet, obtain Wi-Fi passwords, set up keyloggers, intercept text messages and make phone calls. This was also on the ZenFone V and ZenFone 4 Max and Max Pro, according to the researchers.

Security researchers from Kryptowire, a security firm, found 38 different vulnerabilities that can allow for spying and factory resets loaded onto 25 Android phones -- 11 of them sold by major US carriers. That includes devices from Asus, ZTE, LG and the Essential Phone, which are distributed by carriers like Verizon or AT&T.

Angelos Stavrou, Kryptowire's CEO, and Ryan Johnson, the firm's director of research, disclosed their findings at the DEFCON hacker conference on Friday.

"All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box," Stavrou said. "That's important because consumers think they're only exposed if they download something that's bad."

https://www.cnet.com/news/these-popular-android-phones-came-with-vulnerabilities-pre-installed/