Fake ringtone app phishes for data and downloads more viruses.
Smartphones are being sold in Asia and Africa with a Chinese trojan installed on them, according to the security company Lookout.
DeathRing comes disguised as a ringtone app, but phishes for information from the victim by downloading text messages requesting data, prompting the user to download further malware through a web browser.
Jeremy Linden, security product manager at Lookout, said: "We are not currently aware of where in the supply chain DeathRing is installed, we know DeathRing is loaded in the system directory of a number of devices."
"These devices are mostly from third-tier manufacturers selling phones to the developing world."
The malware activates itself after the phone has been restarted five times, or when the phone has gone to standby and back fifty times.
Phones affected include two fake Samsung models, several phones from the Indian manufacturer Gionee and a number of Samsung clones, with the main countries hit being India, China, and Nigeria, among others.
"Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world," Linden added.