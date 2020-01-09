Loading...

Low-end smartphones sold to low-income Americans through a government-subsidized program contain non-removable malware, said Malware bytes security company in a report today.

The smartphone model is Unimax (UMX) U686CL, a low-end Android-based smartphone made in China and sold by Assurance Wireless, a mobile phone provider that is part of the Virgin Mobile group.

Telco sells mobile phones that are part of Lifeline, a government program that subsidizes telephone services for low-income Americans.

“At the end of 2019, we saw several complaints in our user support system with a government-issued phone that reported that some of the pre-installed apps were harmful,” Malwarebytes said in a report published today.

The company said it purchased a UMX U686CL smartphone and analyzed it to confirm the reports received.

Adups back door

To begin with, Malwarebytes said it discovered that one of the components of the phone, an app called Wireless Update, contained the Adups malware.

The Adups malware was discovered by Kryptowire in 2017 and it is a malicious firmware component created by a Chinese company with the same name.

Adups offers the component as a firmware-over-the-air (FOTA) update system to various smartphone manufacturers and firmware vendors.

The component should provide a way for firmware vendors to update their code, but in 2017 the Kryptowire team discovered that Adups (the company) also had the option of sending updates to users’ phones, involving both smartphone vendors and users were bypassed.

Malwarebytes says that this component was currently in use on UMX devices and was used to install apps without the user’s knowledge. Who remains unclear.

“From the moment you log in to the mobile device (the UMX U686CL), Wireless Update starts installing apps automatically,” said the Malwarebytes team. “To repeat: no user permission has been collected, no buttons to click to accept the installations, it

only installs apps on its own.

“Although the apps it installs are initially clean and free of malware, it is

important to know that these apps are added to the device without user’s notification or consent. This opens up the potential for malware to be unknowingly installed in a future update for one of the apps that are added by Wireless Update at any time. “

Dropper leads to adware

But Malwarebytes said there is a second dangerous component in these phones. Researchers said they also found suspicious code in the Phone settings app.

The app, Malwarebytes says, was infected with what appeared to be a kind of heavily obscured malware, presumably of Chinese origin, due to the heavy use of Chinese characters as variable names.

Security researchers said this malware was encrypted to work as a dropper for a second-stage malware, a well-known adware tribe known as HiddenAds.

“Although we still have to reproduce the dropping of additional malware, our users have reported that indeed a variant of HiddenAds is suddenly installed on their UMX mobile device,” Malwarebytes said.

irretrievable

Malwarebytes researchers said they could not confirm that Unimax was the party that added the malware to the devices.

This may be another case where malware has been added to third-party devices involved in the supply chain of a smartphone – while the phone manufacturer’s devices travel to a buyer.

Malwarebytes said that although the device is “not a bad phone”, the presence of the two malware-infected apps makes the smartphone worthless and even dangerous for its users.

Even worse, the two malicious apps cannot be removed.

Although users could disable and uninstall the Wireless Update app, this would cause the phone to miss out on essential security updates for the firmware components – which effectively undoes the app, at least if you want to keep your device up-to-date.

On the other hand, the Settings app is not removable in the real sense of the word, because there is no way to remove the app, and even if you did, you would not be able to manage your phone afterwards.

Malwarebytes says it has informed Assurance Wireless of its findings, but has never heard of the company. A request for comment that ZDNet sent two days ago has not been returned either.