Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/9/2020
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Chinese Malware Found Preinstalled on US Government-Funded Phones

Researchers found unremovable malware preinstalled in the Unimax U686CL, a budget Android device sold by Assurance Wireless.

Budget Android smartphones offered through a US government initiative for low-income Americans come with preinstalled, unremovable Chinese malware, researchers report.

These low-cost smartphones are sold by Assurance Wireless, a federal Lifeline Assistance program under Virgin Mobile. Lifeline, supported by the federal Universal Service Fund, is a government program launched in 1985 to provide discounted phone service to low-income households. The Unimax (UMX) U686CL ($35) is the most inexpensive smartphone it sells.

In October 2019, Malwarebytes began to receive complaints in its support system from users of the UMX U686CL who reported some pre-installed apps on their government-funded phones were malicious. Researchers purchased one of these smartphones to verify customers' claims.

The first suspicious app they detected is Wireless Update, which is capable of updating the device – it's the only way to update the phone's operating system – but also is a variant of the Adups malware. Adups is also the name of a Chinese company caught gathering user data, creating backdoors for mobile devices, and developing auto-installers, researchers report.

Years ago, Adups began partnering with budget phone companies to provide wireless phone updates, explains Nathan Collier, senior malware intelligence analyst for Malwarebytes Labs. For some reason, he notes, Google doesn't provide updates for budget smartphones.

"Adupts provides wireless updates so people can update their operating system, but they're also just installing random stuff without any user permission whatsoever," Collier explains. Not all of this content is malicious, he notes; sometimes the app simply installs hidden ads. Still, from the time the device is first activated, Wireless Update starts auto-installing apps.

"This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time," Collier writes in a blog post on the findings.

Wireless Update isn't the only unremovable app on the UMX U686CL. The phone's Settings app also functions as heavily obfuscated malware detected as Android/Trojan.Dropper.Agent.UMX, which shares characteristics with two other variants of known mobile Trojan droppers.

"It has a lot of elements that are very similar to other elements of Trojan droppers that we know for sure are dropping hidden ads," Collier explains. Hidden ads are growing more popular in the malware community, as attackers generate a little revenue with each click. On one device this may not amount to much, he adds, but it can add up over time as the victim pool grows.

Malwarebytes has a way to uninstall preinstalled apps for current users; however, this could have consequences on the UMX. Uninstalling Wireless Update could cause users to miss critical updates, which the company says is worth the tradeoff. Unfortunately, removing the Settings app would essentially render the device useless.

Researchers informed Assurance Wireless of the problem and have not heard a response at the time of writing. Customers were also reaching out to UMX, Collier says, noting this problem falls on Assurance. It's worth noting UMX devices are made by a Chinese company; however, it has not been confirmed whether the device makers know there is Chinese malware preinstalled.

The issue of preinstalled malware has grown over the past several years. Now, as it starts to affect the Settings app and other critical parts of device software, it's becoming more of a challenge for users. Unlike apps that can be deleted and forgotten, the apps affected here cannot be simply uninstalled without irreversibly damaging the phone.

"This has been an issue for quite a while and it's getting worse and worse," Collier says. "We're seeing it on a lot of different budget carriers around the world."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25772
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...