Bluebox Security tested a popular smartphone in China and found a number of major security issues, including pre-installed malicious apps and numerous vulnerabilities.  

The smartphone, a Xiaomi Mi 4 LTE device, was first verified to be a legitimate device by Xiaomi, the world’s third largest smartphone distributor. Andrew Blaich of Bluebox revealed Thursday that the phone ran a “forked,” or not certified, form on Android largely based on the MIUI ROM.

In addition to detecting pre-loaded “suspicious apps”on the device, categorized as malware, spyware or adware, Bluebox saw that the phone was vulnerable to every bug it scanned for, except Heartbleed. Several conflicting API build properties were also observed, meaning it was “unclear if [the] build of the software was meant for testing or release to consumers,” Blaich explained.

Bluebox disclosed the issues to Xiaomi, which did not follow up with the security firm.

UPDATE: Despite Bluebox’s efforts to check the authenticity of the device, Xiaomi said that the firm’s security analysis was actually done on a counterfeit smartphone.