More pre-installed malware has been found in budget US smartphones

Cheap phones often have tradeoffs but researchers say this should never compromise user safety.
Written by Charlie Osborne, Contributing Writer

Pre-installed malware has been discovered on another budget handset connected to Assurance Wireless by Virgin Mobile. 

Back in January, cybersecurity researchers from Malwarebytes discovered unremovable malware bundled with the Android operating systems on the Unimax (UMX) U686CL, a low-end handset sold by Assurance Wireless as part of the Lifeline Assistance program, a 1985 US initiative which subsidizes telephone services for low-income families. 

There was no way to remove a pair of apps on the handsets which would install other software on the devices without the user's knowledge. 

Now, Malwarebytes has uncovered another budget handset with similar security issues. 

The smartphone in question is the ANS (American Network Solutions) UL40, running Android OS 7.1.1. 

Malwarebytes researcher Nathan Collier said on Wednesday that following January's report, followers of the company said that a variety of ANS phone models were subject to the same problems -- however, without handling a physical device, these claims were difficult to verify. 

The team was able to get their hands on an ANS UL40 for investigation. While it is not clear if the device is still directly on sale by Assurance Wireless, the user manual is still listed on the vendor's website -- inaccessible at the time of writing -- and the handset can still be purchased via other online stores and marketplaces. 

In the same way as the UMX U686CL, two apps -- a settings app and wireless update app -- are compromised. However, these apps are not infected with the same malware variants; instead, Collier says the "infections are similar but have their own unique infection characteristics."

The Settings app is detected as Downloader Wotby, a Trojan that is able to download apps externally. The researchers did not find any evidence of malicious apps in a third-party store linked to the software but noted this doesn't mean that malicious apps could not be added or find their way into the store at a later date. 

The WirelessUpdate app is considered a Potentially Unwanted Program (PUP) that is also able to automatically install apps without user permission or knowledge. 

See also: Unremovable malware found preinstalled on low-end smartphone sold in the US

While the app does function as an over-the-air updater for security fixes and as an updater to the operating system itself, the software also installs four variants of HiddenAds, a Trojan family found on Android handsets. 

HiddenAds is a strain of adware that bombards users with adverts. In order to verify where the malware originated from, Malwarebytes disabled WirelessUpdate and then re-enabled the app. Within 24 hours, four adware strains were covertly installed. 

As the malware on the UMX and ANS differ, the team wanted to see if there were any ties linking the brands. A common thread was the use of a digital certificate used to sign the ANS Settings app under the name teleepoch. Upon further investigation, the certificate was traced back to TeleEpoch Ltd, which is registered as UMX in the United States. 

"We have a Settings app found on an ANS UL40 with a digital certificate signed by a company that is a registered brand of UMX," Collier says. "That's two different Settings apps with two different malware variants on two different phone manufactures & models that appear to all tie back to TeleEpoch Ltd. Additionally, thus far the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX."

CNET: China aims to dominate everything from 5G to social media -- but will it?

According to Collier, the ANS L51 was then examined and was found to have the same malicious apps as the UMX U683CL. 

However, it is unclear as to whether the vendors are at fault, or whether the malicious apps were implemented down the supply chain.

Once informed of the U683CL's malware issue in January, UMX removed the malicious apps. Malwarebytes says the company has "the utmost faith that ANS will quickly find a resolution to this issue" in the same way. 

"There are tradeoffs when choosing a budget mobile device," Collier commented. "Some expected tradeoffs are performance, battery life, storage size, screen quality, and list of other things in order to make a mobile device light on the wallet. However, budget should never mean compromising one's safety with pre-installed malware. Period."

TechRepublic: BYOD: A trend rife with security concerns

In the meantime, users can follow these removal steps to stop HiddenAds infections. 

Earlier this week, Kasperksy researchers warned that mobile adware is becoming increasingly sophisticated and difficult to remove from smartphones and tablets. In 14.8% of attacks recorded by the company, malware or adware would infect the system partition, of which removal can lead to device failure.

ZDNet has reached out to Assurance Wireless with additional queries and will update when we hear back. 

The most dangerous iOS, Android malware and smartphone vulnerabilities of 2019

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards