Jeremy Herold

Pre-installed Malware Found on Low-End Smartphone

No Comments

Malwarebytes reports a low-end smartphone that has unremovable malware

Malwarebytes is reporting that malware has been detected already pre-installed on a smartphone provided by Lifeline, a government-subsidized program that offers smartphones to low-income Americans.

The smartphone model in question is the Android-based Unimax (UXM) U686CL made for Assurance Wireless, the company that provides the cellphones for Lifeline.

In the report released by Malwarebytes they stated the investigation into the phone model started because, “In late 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious.”

Malwarebytes went on to say they then purchased a UMX U686CL smartphone and analyzed it to confirm the reports it was receiving.

One of the issues that Malwarebytes was the Adups malware, which they found in one of the phone’s components, an app named Wireless Update.

The Adups malware was discovered in 2017 by Kryptowire, a malicious firmware component created by a Chinese company of the same name.

Adups works by providing the component as a firmware-over-the-air (FOTA) update system to various smartphone makers and firmware vendors.

While the component is supposed to allow firmware vendors a way to update their code, what the Kryptowire team discovered was that Adups (the company) also had the ability to ship updates to users’ phones themselves, bypassing smartphone vendors and users alike.

This component is being reported by Malwarebytes to be in use on UMX devices and is being used to install apps without the user’s knowledge. The report does not specify who is installing the unauthorized apps.

“From the moment you log into the mobile device [the UMX U686CL], Wireless Update starts auto-installing apps,” the Malwarebytes team said. “To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own.”

The report goes on to say, “While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.”

Malwarebytes has also stated that there is a second dangerous component included on these phones. Researchers said they also found suspicious code in the phone’s Settings app.

The app, Malwarebytes says, was tainted with what appeared to be a strain of heavily-obfuscated malware, which are believed to be of Chinese origin, due to the heavy use of Chinese characters as variable names.

Security researchers said this malware was coded to work as a dropper for a second-stage malware payload, a well-known adware strain known as HiddenAds.

“Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device,” Malwarebytes said.

Malwarebytes researchers were unable to confirm that Unimax was the party that added the malware to the devices.

Malwarebytes said that while the device itself “is not a bad phone,” the presence of the two malware-infected apps make the smartphone worthless and even potentially dangerous to its users.

Making matters worse, the two malicious apps that were found are unremovable.

While users could disable and uninstall the Wireless Update app, this would result in the phone missing out on critical security updates for its firmware components, making the app unremovable, at least if you want to keep your device up to date.

On the other hand, the Settings app is unremovable in the real meaning of the word, as there is no way to remove the app, and even if you were able to remove Settings, you wouldn’t be able to manage your phone afterward.

Malwarebytes says it informed Assurance Wireless of its findings but never heard back from the company directly. 

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648

Subscribe to our newsletter!

More from our blog

See all posts
No Comments
Jeremy Herold information