Full story -> https://nakedsecurity.sophos.com/2016/11/16/shanghai-surprise-as-cheap-android-devices-phone-home-to-china/
This is we are still focused on apple first for our mobile strategy - a strategy which has to allow download on uncontrolled or untrusted devices, which could well be devices like these.
With apple we have a good idea that the hardware and operating system can be trusted. We can check for hardware encryption, touchID and pin code being turned on. Now if we can find a way to confirm that an Android device is an up to date Google or Samsung phone, with user security and encryption in use, then that would be different.