German cybersecurity company G DATA has discovered pre-installed spyware on a number of Chinese smartphone manufacturers, including Xiaomi.

“This is happening on a lot of phones,” said Andy Hayter, G DATA’s security evangelist.

Back in March, researchers with BlueBox Security also found similar malware on a Xiaomi Mi 4 LTE, which they purchased from a retailer during a trip to China.

The malware discovered can listen to calls, track users, and make online purchases.

G DATA has found it pre-installed on a total of 26 Chinese smartphone makers, including Lenovo, Huawei, and Xiaomi.

This isn’t the first time spyware has been discovered on Xiaomi devices, in July 2014, a researcher at Hong Kong forum IMA Mobile discovered it was installed the Xiaomi Redmi Note.

Researchers haven’t been able to pinpoint the stage of the supply chain at which the malware is being installed.

Most likely, the malware is being installed by independent shop operators, or middlemen. Purchasing directly from the company, or reputable dealers such as Gear Best could significantly reduce the risk of buying a compromised device.

Most alarmingly, according to G Data the malware cannot be removed once discovered. The only option is to buy a new phone.