Buying a low-cost Android tablet may sound like a bargain, but it can come with some security risks.

According to antivirus vendor Avast, thousands of Android devices from lesser-known brands have been secretly loaded with malware that can potentially download other nefarious code.

So far, it's only been used to spread adware. Avast noticed the threat on over 140 different Android models, most of them tablets, including products from ZTE, Archos, and Prestigio, among others.

Devices carrying the code will display annoying pop-up ads promoting various mobile games, Avast said. But what makes the malware particularly worrisome is that it was pre-installed. A mysterious party directly embedded the problematic code into the device's firmware, making it difficult to remove.

Avast speculates that the culprits exploited a gap in the supply chain. It's possible a vendor had its firmware software hacked, or maybe a rogue employee secretly slipped in the malicious code during production, Avast told PCMag in an email.

The malware, dubbed "Cosiloon," has been active for at least three years. In December 2016, Russian antivirus firm Doctor Web reported that it had been embedded into the firmware of 26 smartphone models. Since then, the code has persisted, and manufacturers continue to ship with it.

Although Cosiloon has so far been more of a nuisance than a security threat, Avast warns that the malware could also be used to download spyware and ransomware to the same devices.

Among Avast's own customers, the adware from Cosiloon has been found on 18,000 devices located in over 100 countries, including Russia, Italy, Germany, the UK, and the US.

Google reached out to the firmware developers so they could take steps to root out malicious code from their systems. In the meantime, Google is using its built-in malware protection on Android to prevent the adware from loading.

Avast's blog post has tips for affected users on how to remove Cosiloon from their devices. For instance, the company's mobile security app can automatically delete the adware it downloads.

"Users can find the [Cosiloon] dropper in their settings (named 'CrashService', 'ImeMess' or 'Termina' with generic Android icon), and can click the 'disable' button on the app's page, if available (depending on the Android version). This will deactivate the dropper and once Avast removes the payload, it will not return again," the antivirus vendor said.

A list of all the affected Android models can be found here. Interestingly, Cosiloon appears to run dormant on devices based in China, suggesting the culprits may be based there and want to avoid attention from authorities.

This article originally appeared on PCMag.com.