Malwarebytes reports a low-end smartphone that has unremovable malware
Malwarebytes is reporting that malware has been detected already pre-installed on a smartphone provided by Lifeline, a government-subsidized program that offers smartphones to low-income Americans.
The smartphone model in question is the Android-based
Unimax (UXM) U686CL made for Assurance Wireless, the company that provides the
cellphones for Lifeline.
In the report released by Malwarebytes they stated the
investigation into the phone model started because, “In
late 2019, we saw several complaints in our support system from users with a
government-issued phone reporting that some of its pre-installed apps were
Malwarebytes went on to say they then purchased a UMX U686CL
smartphone and analyzed it to confirm the reports it was receiving.
One of the issues that Malwarebytes was the Adups malware, which
they found in one of the phone’s components, an app named Wireless Update.
The Adups malware was discovered in 2017 by Kryptowire, a
malicious firmware component created by a Chinese company of the same name.
Adups works by providing the component as a
firmware-over-the-air (FOTA) update system to various smartphone makers and
While the component is supposed to allow firmware vendors a way
to update their code, what the Kryptowire team discovered was that Adups (the
company) also had the ability to ship updates to users’ phones themselves,
bypassing smartphone vendors and users alike.
This component is being reported by Malwarebytes to be in use on
UMX devices and is being used to install apps without the user’s knowledge. The
report does not specify who is installing the unauthorized apps.
the moment you log into the mobile device [the UMX U686CL], Wireless Update
starts auto-installing apps,” the Malwarebytes team said. “To repeat:
There is no user consent collected to do so, no buttons to click to accept the
installs, it just installs apps on its own.”
report goes on to say, “While the apps it installs are initially clean and
free of malware, it’s important to note that these apps are added to the device
with zero notification or permission required from the user. This opens the
potential for malware to unknowingly be installed in a future update to any of
the apps added by Wireless Update at any time.”
Malwarebytes has also stated that there is a second dangerous
component included on these phones. Researchers said they also found suspicious
code in the phone’s Settings app.
The app, Malwarebytes says, was tainted with what appeared to be
a strain of heavily-obfuscated malware, which are believed to be of Chinese
origin, due to the heavy use of Chinese characters as variable names.
researchers said this malware was coded to work as a dropper for a second-stage
malware payload, a well-known adware strain known as HiddenAds.
“Although we have yet to reproduce the dropping of
additional malware ourselves, our users have reported that indeed a variant of
HiddenAds suddenly installs on their UMX mobile device,” Malwarebytes
Malwarebytes researchers were unable to confirm that Unimax was
the party that added the malware to the devices.
Malwarebytes said that while the device itself “is not a
bad phone,” the presence of the two malware-infected apps make the
smartphone worthless and even potentially dangerous to its users.
Making matters worse, the two malicious apps that were found are
While users could disable and uninstall the Wireless Update app,
this would result in the phone missing out on critical security updates for its
firmware components, making the app unremovable, at least if you want to keep
your device up to date.
On the other hand, the Settings app is unremovable in the real
meaning of the word, as there is no way to remove the app, and even if you were
able to remove Settings, you wouldn’t be able to manage your phone afterward.
Malwarebytes says it informed Assurance Wireless of its findings but never heard back from the company directly.
if we can be of help with your network or computer, give us a call here at
RHYNO Networks. (855) 749-6648