Probably.
http://thehackernews.com/2017/03/android-malware-apps.html
Apparently security researchers have scanned a number of smartphones from the major manufacturers and found 36 types that came with malware pre-installed. 
The malware didn't come from Google, Samsung, or any of the manufacturers. Rather it was installed somewhere along the supply-chain before it arrived at the distributer's warehouse. The two malware applications found were Loki and SLocker. Loki is a back-door app that gives the attackers full access to the phone and all data on it; and SLocker is a ransomware app.
How would you feel knowing that your new Android smartphone was already pre-installed with ramsomware, and the attackers are just waiting for you to get a bunch of valuable data on it, before locking it down and demanding a $1000 ransom, payable only in bitcoin?
Would purchasing your phone from a known entity like Best Buy help to mitigate the risk? I don't know and I'm not sure anyone does at this time.
Here's the list of smartphones found to be pre-infected:
| Galaxy Note 2 |
Galaxy Tab S2 |
| LG G4 |
Galaxy Tab 2 |
| Galaxy S7 |
Oppo N3 |
| Galaxy S4 |
Oppo N3 |
| Galaxy Note 4 |
Vivo X6 plus |
| Galaxy Note 5 |
Nexus 5 |
| Xiaomi Mi 4i |
Nexus 5X |
| Galaxy A5 |
Asus Zenfone 2 |
| ZTE x500 |
LenovoS90 |
| Galaxy Note 3 |
OppoR7 plus |
| Galaxy Note Edge |
Xiaomi Redmi |
| Lenovo A850 |
|