Low-end smartphones sold to Americans with low-income via a government-subsidized program contain unremovable malware, security firm Malware bytes said today in a report.
The smartphone model is Unimax (UMX) U686CL, a low-end Android-based smartphone made in China and sold by Assurance Wireless, a cell phone service provider part of the Virgin Mobile group.
The telco sells cell phones part of Lifeline, a government program that subsidizes phone service for low-income Americans.
“In late 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious,” Malwarebytes said in a report published today.
The company said it purchased a UMX U686CL smartphone and analyzed it to confirm the reports it was receiving.
For starters, Malwarebytes said it found that one of the phone’s components, an app named Wireless Update, contained the Adups malware.
The Adups malware was discovered in 2017 by Kryptowire, and it’s a malicious firmware component created by a Chinese company of the same name.
Adups provides the component as a firmware-over-the-air (FOTA) update system to various smartphone makers and firmware vendors.
The component is supposed to allow firmware vendors a way to update their code, but in 2017 the Kryptowire team discovered that Adups (the company) also had the ability to ship updates to users’ phones, bypassing smartphone vendors and users alike.
Malwarebytes says that this component was currently in use on UMX devices, and was being used to install apps without the user’s knowledge. By who remains unclear.
“From the moment you log into the mobile device [the UMX U686CL], Wireless Update starts auto-installing apps,” the Malwarebytes team said. “To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it
just installs apps on its own.
“While the apps it installs are initially clean and free of malware, it’s
important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.”
Dropper leads to adware
But Malwarebytes said there is a second dangerous component included on these phones. Researchers said they also found suspicious code in the phone’s Settings app.
The app, Malwarebytes says, was tainted with what appeared to be a strain of heavily-obfuscated malware, believed to be of Chinese origin, due to the heavy use of Chinese characters as variable names.
Security researchers said this malware was coded to work as a dropper for a second-stage malware payload, a well-known adware strain known as HiddenAds.
“Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device,” Malwarebytes said.
Malwarebytes researchers said they couldn’t confirm that Unimax was the party that added the malware to the devices.
This might be another case where malware was added to devices by third-parties involved in a smartphone’s supply chain — while the devices travel from the phone maker to a buyer.
Malwarebytes said that while the device “is not a bad phone,” the presence of the two malware-infected apps make the smartphone worthless and even dangerous to its users.
Making matters worse, the two malicious apps are unremovable.
While users could disable and uninstall the Wireless Update app, this would result in the phone missing out critical security updates for its firmware components — which effectively makes the app unremovable, at least if you want to keep your device up to date.
On the other hand, the Settings app is unremovable in the real meaning of the word, as there is no way to remove the app, and even if you did, you wouldn’t be able to manage your phone afterward.
Malwarebytes says it informed Assurance Wireless of its findings but never heard back from the company. A request for comment sent by ZDNet two days ago was also not returned.