Android malware isn’t a thing, the savviest Android users will tell you. And they are partly right. They and users like them will probably never have to deal with Android malware. But then there are reports like this one, which claims that a powerful backdoor program was discovered preinstalled on 3 million Android devices.

DON’T MISS: Take a look at Apple’s new design book without spending $300

Found by security firm BitSight Technologies in the firmware preinstalled on almost three million Android phones, the “backdoor” is vulnerable to attacks that would allow a third-party with malicious intentions to gain full control of a device.

The backdoor found in Ragentek firmware “goes out of its way to conceal the presence of the underlying binary file,” Ars Technica reports.

“In this case, the developer added an exception when iterating over the system processes to explicitly skip over the affected binary (‘debugs’), and thus not display it in the returned results,” BitSight researcher Dan Dahlberg told the tech site. “In other words, the programs were modified to pretend this binary did not exist.”

But the firmware’s purpose doesn’t appear to be related to malware. Ragentek is intended to push legitimate over-the-air updates to the phone, and the backdoor capabilities might be unintentional.

However, the flaw could have been exploited by anyone with knowledge of the matter. All an attacker would have needed to target these devices is control of two internet domains, which are now operated by BitSight.

Had hackers obtained the addresses before the security site, they could have installed malware on the Android devices that actively try to connect to these addresses for some sort of software updates.

The Chinese company Ragentek Group does not encrypt communications sent and received to phones, and doesn’t use code-signing to authenticate legitimate apps.

Most devices susceptible to such an attack are based in the US, BitSight revealed. Most devices are made by BLU Products, although other lesser-known Android device makers are also on the list, including Infinix, Doogee, Leagoo, and Xolo.

Researchers discovered that many connections come from all sorts of sectors, including healthcare, government, and banking.

The list of affected devices could grow in the coming weeks. Only BLU patched the issue so far, although it’s not clear how effective the security update rollout is.

Users looking to protect their data should go to networks they trust and use VPN software when possible, on unsecured Wi-Fi connections.