According to a recent report by a security firm Bluebox who had received and tested the Mi 4, Xiaomi's popular flagship Mi 4 smartphone could potentially come with a huge security risk of pre-installed malware prior to the user getting their device. This is an alarming thing to read for any consumer, but people should be aware that Bluebox notes the device was seemingly tampered with by an unknown third party during the distribution/retail process, so it's entirely possible that Xiaomi had no knowledge whatsoever, which is likely the case. Bluebox also notes that due to Xiaomi's popularity with device counterfeiters the device they received could have been a fake. At this point in time, it remains unclear as to the exact origin of the malware and other security risks with the Mi 4 device tested by Bluebox.
When Bluebox first tested the device and reported on their findings,(which was last Thursday)they stated that they found multiple security risks with different types of Malware that were pre-installed on the phone, including apps called Yt Service, PhoneGuardService, and something called AppStats. Yt Service is apparently used to get ads pushed to the user's device through the means of an AdWare service called DartPusher which is installed onto the device by Yt Service, while PhoneGuardService and AppStats were listed as a Trojan and Malware respectively.
One day later after Bluebox posted their findings online and emailing Xiaomi in hopes to get a response, Xiaomi's Hugo Barra emailed Bluebox back stating that the device that Bluebox received had been tampered with, as it was purchased physically by Bluebox in a third party retail store in China. Xiaomi iterated that they don't sell devices through any third party stores, only through select carrier stores as well as online through Mi.com and official online channels, and that they don't sell devices that come rooted out of the box, as was the case with the device tested by Bluebox. Even with the response from Xiaomi bringing important details to light about the means used to purchase the phone causing the security risks, Bluebox poses concerns about how easy it may be to attack Xiaomi devices at the retail level, whether it be through third party physical stores in the region, or while devices purchased from Mi.com are in transit and on their way to their destination.
UPDATE: It seems like the Mi 4 that Bluebox tested is actually a counterfeit, click here for more information (follow-up article).