Cubot has released an updated ROM: http://forum.cubot.net/viewtopic.php?f=21&t=1562
Didn't installed this yet on the phone, but downloaded the ROM and "diffed" this with the previously release ROM from 2017-05-26 (the one with that "surprising" com.android.telephone app).
Most of the .apk and .odex files do binary-differ. However, it look like the app packages are just re-packed. At least they are packaged now with a JVM 1.7.0_121 (compared to 1.7.0_79).
But the real change is, that the newer ROM now has some apps missing. In the /priv-app directory this is the malicious com.android.telephone.apk, and in the /app directory these are com.sherlock.news.apk and webcore.apk (not sure what the first one is, but the latter one looks like just an opera-mini downloader/launcher). The new ROM does not include any new apps (just lots of more linux cmdline tools which are actually all symlinks to " toybox" utility)
So, the known malicious app com.android.telephone has gone. But who knows? Is the next round of malware now just hidden elsewhere?