Researchers found unremovable malware preinstalled in the Unimax U686CL, a budget Android device sold by Assurance Wireless.

Kelly Sheridan, Former Senior Editor, Dark Reading

January 9, 2020

4 Min Read

Budget Android smartphones offered through a US government initiative for low-income Americans come with preinstalled, unremovable Chinese malware, researchers report.

These low-cost smartphones are sold by Assurance Wireless, a federal Lifeline Assistance program under Virgin Mobile. Lifeline, supported by the federal Universal Service Fund, is a government program launched in 1985 to provide discounted phone service to low-income households. The Unimax (UMX) U686CL ($35) is the most inexpensive smartphone it sells.

In October 2019, Malwarebytes began to receive complaints in its support system from users of the UMX U686CL who reported some pre-installed apps on their government-funded phones were malicious. Researchers purchased one of these smartphones to verify customers' claims.

The first suspicious app they detected is Wireless Update, which is capable of updating the device – it's the only way to update the phone's operating system – but also is a variant of the Adups malware. Adups is also the name of a Chinese company caught gathering user data, creating backdoors for mobile devices, and developing auto-installers, researchers report.

Years ago, Adups began partnering with budget phone companies to provide wireless phone updates, explains Nathan Collier, senior malware intelligence analyst for Malwarebytes Labs. For some reason, he notes, Google doesn't provide updates for budget smartphones.

"Adupts provides wireless updates so people can update their operating system, but they're also just installing random stuff without any user permission whatsoever," Collier explains. Not all of this content is malicious, he notes; sometimes the app simply installs hidden ads. Still, from the time the device is first activated, Wireless Update starts auto-installing apps.

"This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time," Collier writes in a blog post on the findings.

Wireless Update isn't the only unremovable app on the UMX U686CL. The phone's Settings app also functions as heavily obfuscated malware detected as Android/Trojan.Dropper.Agent.UMX, which shares characteristics with two other variants of known mobile Trojan droppers.

"It has a lot of elements that are very similar to other elements of Trojan droppers that we know for sure are dropping hidden ads," Collier explains. Hidden ads are growing more popular in the malware community, as attackers generate a little revenue with each click. On one device this may not amount to much, he adds, but it can add up over time as the victim pool grows.

Malwarebytes has a way to uninstall preinstalled apps for current users; however, this could have consequences on the UMX. Uninstalling Wireless Update could cause users to miss critical updates, which the company says is worth the tradeoff. Unfortunately, removing the Settings app would essentially render the device useless.

Researchers informed Assurance Wireless of the problem and have not heard a response at the time of writing. Customers were also reaching out to UMX, Collier says, noting this problem falls on Assurance. It's worth noting UMX devices are made by a Chinese company; however, it has not been confirmed whether the device makers know there is Chinese malware preinstalled.

The issue of preinstalled malware has grown over the past several years. Now, as it starts to affect the Settings app and other critical parts of device software, it's becoming more of a challenge for users. Unlike apps that can be deleted and forgotten, the apps affected here cannot be simply uninstalled without irreversibly damaging the phone.

"This has been an issue for quite a while and it's getting worse and worse," Collier says. "We're seeing it on a lot of different budget carriers around the world."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights