At least 25 Android smartphone models — 11 of which are sold by major U.S. carriers — carry vulnerabilities out of the box, making them easy prey for hackers, according to a new study from security researchers.

Researchers from the firm Kryptowire found 38 vulnerabilities in 25 Android phones, according to Wired. They range from being able to lock someone out of their device to gaining unapproved and secret access to the smartphone’s microphone.

Ryan Johnson, Kryptowire’s director of research, and Angelos Stavrou, the company’s CEO, disclosed their findings recently at the Black Hat security conference in Las Vegas, according to Wired. Kryptowire’s research was partially funded by the Department of Homeland Security.

The 11 Android phones listed by Kryptowire as vulnerable and popular in the United States are a mix of foreign manufacturers — such as China-based ZTE, Taiwan-based Asus and South Korea-based LG — and American phone manufacturers, such as Palo Alto-based Essential, which was founded by Andy Rubin, the creator of Android.

Once hackers exploit the pre-set vulnerabilities in the Android phones, they can track every move and turn the phone into a surveillance tool to collect information on its owner, according to CNET, which also reported on the study. Hackers could record screens, take screenshots, do a factory reset on a device, and potentially get logs of what the owner is typing, reading and contacting.

The vulnerabilities largely occurred after manufacturers tinkered with the open Android operating system to their liking and didn’t consider security issues as a byproduct, according to Wired.

“All of these are vulnerabilities that are prepositioned,” said Stavrou, according to CNET. “That’s important because consumers think they’re only exposed if they download something that’s bad.”

Kryptowire alerted the smartphone companies of the vulnerabilities before the presentation, and the firms have taken a varied range of actions since. Essential said they patched the vulnerabilities soon after they were informed, and LG, ZTE and Asus have patched some of the bugs and are continuing to fix the issues, according to CNET.