Updated at 18:00 IST: Bluebox and Xiaomi are now confirming that the handset the security firm tested was a counterfeit product purchased through an unofficial channel. You can read Xiaomi's full statements below.

Xiaomi’s Mi 4 is one of the best smartphones you cannot purchase so easily -- but it might be for the best, it seems. Don’t get me wrong: The Mi 4 packs in top-of-the-line specifications, the latest Android-based operating system, and is incredibly cheap, but if data security firm Bluebox's latest report is to be believed, it also comes with malware and a host of other issues. The handset seems to have been tampered with by an unidentified third party, however. We’ll have more details on this later today.

The security firm has flagged the handset by the Chinese smartphone manufacturer for a number of reasons including issues like pre-installed malware and an adware that disguises itself as a verified Google application, and vulnerability to several flaws. Furthermore, the operating system running on the Xiaomi’s smartphone is a non-certified version of Android. “[Xiaomi Mi 4’s] vulnerable to every vulnerability we scanned for”, wrote Andrew Blaich, lead security expert at Bluebox.

Blaich noted that the Mi 4 is running a non-certified version of Android that hosts a number of vulnerabilities that date back to old Android software, leading the firm to believe that Mi 4’s MIUI ROM is a mashup between KitKat, and an older version of Android. For the stated reasons, the firm concludes that the smartphone might not be ready for "consumer use".

But that’s not all the issues Bluebox could find in the phone. The smartphone apparently comes with a number of apps that were flagged as malware, spyware or adware by Bluebox. One such app was Yt Service, which as the security firm notes, is a piece of adware. The firm notes that this app comes pre-installed in all Mi 4 LTE capable variants. "This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google)", Blaich wrote on a blog post.

The smartphone also comes pre-installed with PhoneGuardService, which Bluebox marks as a Trojan. It allows malefactors to hijack the device. SMSreg and AppStats, two other apps have been flagged as risky software.

The handset that Bluebox tested was also prone to several vulnerabilities. "Not only was the device vulnerable to every vulnerability we scan for (except for Heartbleed which only was vulnerable in 4.1.1), it was also rooted and had USB debugging mode enabled without proper prompting to talk with a connected computer", Blaich explained.

Xiaomi reached out to Bluebox, and noted that the handset the security firm had tested seems to have been tampered with as several apps held signatures that differed from the manufacturer’s signing key. Furthermore, the firm also pointed out that it doesn’t sell rooted phones and several apps mentioned are not placed in its handsets at all.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc. Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”, Hugo Barra, VP International at Xiaomi told the firm.

Bluebox isn’t satisfied with the Xiaomi’s response and notes several additional flaws in the company’s smartphone. “If it’s this easy to modify the device in the retail chain, it could also be modified in transit, even when purchased from mi.com,” he wrote while also referencing a recent article from Der Spiegel which shows off a modern form of wiretapping wherein the U.S. intelligence officials are able to intercept computers before they reach their destination and load them with malware.

This isn’t the first time a Chinese smartphone has been flagged for inconsistency and serving malware. Xiaomi’s smartphone itself has been previously accused of sending private information to Chinese servers. We’ve also seen several cases where a Chinese or Indian smartphone has been tampered with during the transit or at the factory and placed with adware. More on this as it develops, but for now we stress that this is only one questionable report.

Xiaomi plans to debut in the U.S. market by the end of this year.

Update: Xiaomi reached out to us, and provided this statement.