If you’ve been paying close attention to Xiaomi news this week, you’ll have struggled to avoid a story which has proven particularly nasty for the up and coming smartphone maker. Mobile security firm BlueBox managed to get their hands on a Xiaomi Mi4 for testing, only to find that the phone came pre-loaded with malware, adware and spyware. Those included Yt Service (a back door ad pushing platform), a trojan named PhoneGuardService, SMSReg (malware) and Appstats, which is classified as riskware. Naturally, in the wake of Lenovo‘s ongoing and utterly catastrophic Superfish episode, this raised more than a few eyebrows, especially with Xiaomi’s expansion into Europe and the US just over the horizon. To make matters worse, Xiaomi’s own verification tool identified the phone as an official unit from the Chinese smartphone company. Well, Xiaomi have been investigating the matter alongside BlueBox and have concluded that the phone had been tampered with by a third party, with sophisticated software changes designed to fool Xiaomi’s verification into providing a false positive result. Here’s the full statement as made to BGR India: There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours. With the large parallel street market for mobile phones in China, not only is it somewhat common for third parties to tamper with the software sold on smartphones, but there are counterfeit products which are almost indistinguishable from the original products on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers. Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. However, for the safety of our users, Xiaomi and all smartphone brands always recommend buying phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India. In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.