Glad to read your post! I have exactly the same issue with Cubot Rainbow. Bought in November, and 1 month later I observed strange behaviour
--- App installed automatically, no confirmation by me (Wish was installed, later mobile.de)
--- Ad-Popups in WhatsApp, Messenger, Microsoft Outlook
--- Ad-Popups after unlocking the phone
--- Redirecting in Chrome, (i was opening wikipedia and redirect to some get-rich-really-fast page). The Redirecting was leading through multiple Sites (like I visisted Wikipedia, than Chrome opened page A for ~1 second, than page B for ~1 second and than it laneded on page C. One time i also got an error that Chrome could not open a News Website because it was "redirecting to much")
--- Everytime I opene play store I was automatically redirect to a random app page without any user interaction
--- I noticed strange file names in the internal downloads folder with random names like "SAJD2388KDASDLOP" that could not be opened. After deletion, files occured again on next day
I tried several Virus and Malewarescanner. One claimed that SystemUI is a maleware (but com.android.systemui is a legal system process, isn't it?), the other found nothing. Clearing Browser Cache and deleting all custom apps did nothing. I than decied to do a refactory reset.
Issues startet again after 1 month (I only installed WhatsApp, Microsofts HereMaps, and public transportation apps from official companies).
I did some research. The phone has a package com.adups.fota and onther adups package, which has been recently reported as malicious by kryptowire. They claim the app can install software from remote and is also sending back private data to chinese servers. I also read some reviews in Cubot Forum and on amazon.co.uk that are complaining about Maleware. There seemed to be a malicious YouTube app on another Cubot device and other people have complained about the FOTA app and suspicious network connections to China. I installed a monitoring tool and it showed several connections to Signapore and Amazon (i guess AWS instances), although i had not installed any Amazon app and was not browsing.
I did a factory reset again, and after reinstalling i have monitored that "com.mediatek.thermalmanager" was establishing internet connection. Why should a tool that should observe temperatures (at least that what it sounds like) establish internet connections? Thats also suspicious.
UPDATE: Just after posting this, NetGuard has notified me that it has blocked SystemUI from connection to some southeast Amazon Server with IP 220.127.116.11. Its trying to connect there every 10 seconds at the moment. Why is System UI connecting to Amazon Servers?
Based on my experience, and recent articles about malicious chinese phones I'm pretty shure the maleware was already on my phone when I bought it. It also seems to wait like a month till it gets activated, so it does not raise so much attention. As you said, your first thought that some malicious app might cause it ... i thought the same...
Im trying to resend back this thing. But i just realised that although I have purchased it was Amazons Prime Same Day Delivery in Europe the seller is placed in china . Guess I'm not getting my money back for this weird phone :/
I have now installed a firewall and opera and i'm blocking all app internet access by default. Hope that will prevent me from maleware till i get a new phone. If you have similiar observations please share!