FCC is supplying malware-loaded phones to low-income users

Budget handsets are pre-installed with malicious apps that leak data to Chinese hackers, report finds

A federal programme supplying cheap mobile phones to low-income US citizens has been accidentally selling handsets loaded with Chinese malware that can’t be removed.

The UMX U686CL handset, available at just $35 under the FCC’s Lifeline Assistance programme, is being distributed with pre-loaded software that creates backdoors that could potentially leak user data.

The UMX handsets, distributed through Virgin Mobile’s Assurance Wireless scheme, are bundled with an app called ‘Wireless Update’. Researchers discovered this is an offshoot of Adups, a Chinese firm known for harvesting user data and building auto-installers.

Wireless Update, incidentally, is the only way users can update the handset’s operating system.

The phone’s own Settings app, too, functions as a cleverly disguised piece of malware that cannot be removed or else the devices becomes entirely unusable. 

“Pre-installed malware continues to be a scourge for users of mobile devices,” said senior malware intelligence analyst with Malwarebytes, Nathan Collier. 

“But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behaviour by app development companies.”

“Budget should not dictate whether a user can remain safe on his or her mobile device.”

Phone manufacturers paying to install pre-loaded apps containing potentially harmful code is a worrying trend, increasingly highlighted by security experts.

Researchers highlighted their concerns in a paper last year, identifying variants of well-known malware families loaded into pre-installed apps supplied in predominately low-end range phones. 

Malwarebytes was first alerted to complaints around government-issued phones from its users in October 2019, before purchasing a UMX U686CL to investigate further.

After learning that Wireless Update was flagged with a malicious detection name, Malwarebytes informed Virgin’s Assurance Wireless scheme of the potential dangers - but did not hear back.

Wireless Update begins auto-installing apps the moment users sign into their device but doesn’t ask users for consent for any installations. While the app installs are initially malware-free, the apps are added with no notifications or attempts to seek user consent.

This arrangement, researchers argue, opens the door for malware to be unknowingly installed in future updates to any of the apps automatically added by Wireless Update.

To compound the issue, the malicious Settings app serves as the dashboard from which the phone’s settings are changed, and cannot be removed without bricking these devices. The malware also shares characteristics with other known Trojans.

The Settings app contains a string within its code that, when decoded, revealed a hidden library file. When activated, this is loaded into the device’s memory before dropping a further piece of malware known as HiddenAds.

Related Resource

Strengthen your defences against cybercrime

Cyber resilience planning for email

Download now

Collier added there’s currently no way to uninstall pre-installed apps on devices like the UMX, and doing so, in any case, would lead to dire consequences for usability.

Uninstalling Wireless Update, for example, could lead users to miss out on critical operating system patches, given it’s the only way to update the phone’s software. Removing Settings, meanwhile, would brick the phone entirely.

Although the UMX situation adds a unique dimension to phones that come with pre-installed malware, given these are supplied by the US government, it’s not entirely uncommon.

Research published in 2017 showed a plethora of Android devices, from device makers including Samsung, LG, Asus, Opp, and Xiaomi, among others, were packaged and sold with pre-installed malware.

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
'NetWalker' ransomware explodes thanks to 'as a service' expansion
ransomware

'NetWalker' ransomware explodes thanks to 'as a service' expansion

4 Sep 2020
Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Nokia will replace Huawei as BT's largest 5G equipment provider
5G

Nokia will replace Huawei as BT's largest 5G equipment provider

29 Sep 2020