Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

1/9/2020
11:30 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Cheap Phone Has Cheap Security

Phone looks a steal a $35 but it comes with free, pre-installed malware!

Nathan Collier, a senior malware intelligence analyst with Malwarebytes Labs, has found that a low-cost Android phone made in China has two large malware files pre-installed by the manufacturer that directly affect the purchaser of the phone.

He seems particularly incensed that the phone is allowed to be a part of the US government-funded Lifeline Assistance program. The program financially assures that lower-income people are able to communicate via phone subsidies.

The actual phone that we're talking about here is sold by Virgin Mobile's Assurance Wireless as the UMX U686CL. This phone is the most budget-conscious option under their Lifeline Assistance program, and is priced at $35.

The first malware app found on the phone is called "Wireless Update". This app is the only way on the phone to update the operating system if needed. While it will indeed perform that function, Collier says that it is also capable of auto-installing apps without any user consent.

Further, he says in his blog, the malware "is actually a variant of Adups, [from] a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers."

Although he was unable to find any specific malware files on the phone that were loaded by the updater upon initialization, he felt that it was important to note that any of the apps that were added to the device required zero notification or permission from the user. He thinks that this opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.

So, he finds that there is a potent attack route embedded in a major functionality of the phone.

Additionally, Collier notes that the phone's Settings App (which serves as the dashboard from which settings are changed) shares characteristics in its code with two other variants of known mobile Trojan droppers.

After the library that is hidden in the Settings app is loaded into memory, it will then drop another piece of malware known as Android/Trojan.HiddenAds.

Malwarebytes Lab users have reported that a variant of HiddenAds suddenly installs on their UMX mobile device, confirming Collier's analysis.

To mitigate the problem, the user faces some real choices. If the Update app is removed, a critical operating system upgrade may be bypassed. Some users may wish to pursue this option if they think they can carry out any needed OS updates on their own.

But the Settings app must be present for the phone to function at all. Complete removal is not an option here. Collier points to another Malwarebytes blog entry on dealing with pre-installed malware for guidance.

Collier is not so sanguine about Assurance Wireless, however. He pointedly notes in the blog: "We informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34760
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the ...
CVE-2021-34789
PUBLISHED: 2021-10-21
A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user...
CVE-2021-39126
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions ar...
CVE-2021-39127
PUBLISHED: 2021-10-21
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
CVE-2021-40121
PUBLISHED: 2021-10-21
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this ad...