Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/9/2020
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Chinese Malware Found Preinstalled on US Government-Funded Phones

Researchers found unremovable malware preinstalled in the Unimax U686CL, a budget Android device sold by Assurance Wireless.

Budget Android smartphones offered through a US government initiative for low-income Americans come with preinstalled, unremovable Chinese malware, researchers report.

These low-cost smartphones are sold by Assurance Wireless, a federal Lifeline Assistance program under Virgin Mobile. Lifeline, supported by the federal Universal Service Fund, is a government program launched in 1985 to provide discounted phone service to low-income households. The Unimax (UMX) U686CL ($35) is the most inexpensive smartphone it sells.

In October 2019, Malwarebytes began to receive complaints in its support system from users of the UMX U686CL who reported some pre-installed apps on their government-funded phones were malicious. Researchers purchased one of these smartphones to verify customers' claims.

The first suspicious app they detected is Wireless Update, which is capable of updating the device – it's the only way to update the phone's operating system – but also is a variant of the Adups malware. Adups is also the name of a Chinese company caught gathering user data, creating backdoors for mobile devices, and developing auto-installers, researchers report.

Years ago, Adups began partnering with budget phone companies to provide wireless phone updates, explains Nathan Collier, senior malware intelligence analyst for Malwarebytes Labs. For some reason, he notes, Google doesn't provide updates for budget smartphones.

"Adupts provides wireless updates so people can update their operating system, but they're also just installing random stuff without any user permission whatsoever," Collier explains. Not all of this content is malicious, he notes; sometimes the app simply installs hidden ads. Still, from the time the device is first activated, Wireless Update starts auto-installing apps.

"This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time," Collier writes in a blog post on the findings.

Wireless Update isn't the only unremovable app on the UMX U686CL. The phone's Settings app also functions as heavily obfuscated malware detected as Android/Trojan.Dropper.Agent.UMX, which shares characteristics with two other variants of known mobile Trojan droppers.

"It has a lot of elements that are very similar to other elements of Trojan droppers that we know for sure are dropping hidden ads," Collier explains. Hidden ads are growing more popular in the malware community, as attackers generate a little revenue with each click. On one device this may not amount to much, he adds, but it can add up over time as the victim pool grows.

Malwarebytes has a way to uninstall preinstalled apps for current users; however, this could have consequences on the UMX. Uninstalling Wireless Update could cause users to miss critical updates, which the company says is worth the tradeoff. Unfortunately, removing the Settings app would essentially render the device useless.

Researchers informed Assurance Wireless of the problem and have not heard a response at the time of writing. Customers were also reaching out to UMX, Collier says, noting this problem falls on Assurance. It's worth noting UMX devices are made by a Chinese company; however, it has not been confirmed whether the device makers know there is Chinese malware preinstalled.

The issue of preinstalled malware has grown over the past several years. Now, as it starts to affect the Settings app and other critical parts of device software, it's becoming more of a challenge for users. Unlike apps that can be deleted and forgotten, the apps affected here cannot be simply uninstalled without irreversibly damaging the phone.

"This has been an issue for quite a while and it's getting worse and worse," Collier says. "We're seeing it on a lot of different budget carriers around the world."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11655
PUBLISHED: 2020-04-09
SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.
CVE-2020-11656
PUBLISHED: 2020-04-09
In SQLite through 3.31.1, the ALTER TABLE implementation has a use-after-free, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
CVE-2019-20637
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.5 LTS, 6.1.x and 6.2.x before 6.2.2, and 6.3.x before 6.3.1. It does not clear a pointer between the handling of one client request and the next request within the same connection. This sometimes causes information to be disclosed from the connecti...
CVE-2020-11650
PUBLISHED: 2020-04-08
An issue was discovered in iXsystems FreeNAS 11.2 and 11.3 before 11.3-U1. It allows a denial of service.
CVE-2020-11653
PUBLISHED: 2020-04-08
An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6.2.x before 6.2.3, and 6.3.x before 6.3.2. It occurs when communication with a TLS termination proxy uses PROXY version 2. There can be an assertion failure and daemon restart, which causes a performance loss.