A research firm says that a popular bargain-brand Chinese Android smartphone comes with a hidden extra feature: permanently installed malware that sends users’ personal info to a secret server in China.

The Star N9500, not common in the U.S. but widely available in Europe, is widely regarded as a cheaper variant Samsung’s Galaxy S4. It’s got a similar look and features, but it’s often sold for under $160, a fraction of the S4’s cost.

But you get what you pay for, apparently. German security firm G Data says it’s found that the phone comes bundled with extensive malware—embedded in the N9500’s firmware, so it’s impossible to uninstall—which allows the phone to track all of its user’s personal data. The malware also blocks security updates.

“The intercepted data is sent to an anonymous server in China,” Christian Geschkat, G Data Product Manager said on the company’s site. That means whether this is the result of a company gone rogue—or if it’s evidence that Chinese government hackers have taken a page from the U.S.’s National Security Agency‘s book—is left to speculation.

Photo by janitors/Flickr (CC By 2.0) | Remix by Max Fleishman