FCC is supplying malware-loaded phones to low-income users

Budget handsets are pre-installed with malicious apps that leak data to Chinese hackers, report finds

A federal programme supplying cheap mobile phones to low-income US citizens has been accidentally selling handsets loaded with Chinese malware that can’t be removed.

The UMX U686CL handset, available at just $35 under the FCC’s Lifeline Assistance programme, is being distributed with pre-loaded software that creates backdoors that could potentially leak user data.

The UMX handsets, distributed through Virgin Mobile’s Assurance Wireless scheme, are bundled with an app called ‘Wireless Update’. Researchers discovered this is an offshoot of Adups, a Chinese firm known for harvesting user data and building auto-installers.

Wireless Update, incidentally, is the only way users can update the handset’s operating system.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The phone’s own Settings app, too, functions as a cleverly disguised piece of malware that cannot be removed or else the devices becomes entirely unusable. 

“Pre-installed malware continues to be a scourge for users of mobile devices,” said senior malware intelligence analyst with Malwarebytes, Nathan Collier. 

“But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behaviour by app development companies.”

“Budget should not dictate whether a user can remain safe on his or her mobile device.”

Phone manufacturers paying to install pre-loaded apps containing potentially harmful code is a worrying trend, increasingly highlighted by security experts.

Researchers highlighted their concerns in a paper last year, identifying variants of well-known malware families loaded into pre-installed apps supplied in predominately low-end range phones. 

Advertisement - Article continues below

Malwarebytes was first alerted to complaints around government-issued phones from its users in October 2019, before purchasing a UMX U686CL to investigate further.

After learning that Wireless Update was flagged with a malicious detection name, Malwarebytes informed Virgin’s Assurance Wireless scheme of the potential dangers - but did not hear back.

Wireless Update begins auto-installing apps the moment users sign into their device but doesn’t ask users for consent for any installations. While the app installs are initially malware-free, the apps are added with no notifications or attempts to seek user consent.

This arrangement, researchers argue, opens the door for malware to be unknowingly installed in future updates to any of the apps automatically added by Wireless Update.

Advertisement
Advertisement - Article continues below

To compound the issue, the malicious Settings app serves as the dashboard from which the phone’s settings are changed, and cannot be removed without bricking these devices. The malware also shares characteristics with other known Trojans.

The Settings app contains a string within its code that, when decoded, revealed a hidden library file. When activated, this is loaded into the device’s memory before dropping a further piece of malware known as HiddenAds.

Related Resource

Strengthen your defences against cybercrime

Cyber resilience planning for email

Download now

Collier added there’s currently no way to uninstall pre-installed apps on devices like the UMX, and doing so, in any case, would lead to dire consequences for usability.

Uninstalling Wireless Update, for example, could lead users to miss out on critical operating system patches, given it’s the only way to update the phone’s software. Removing Settings, meanwhile, would brick the phone entirely.

Although the UMX situation adds a unique dimension to phones that come with pre-installed malware, given these are supplied by the US government, it’s not entirely uncommon.

Research published in 2017 showed a plethora of Android devices, from device makers including Samsung, LG, Asus, Opp, and Xiaomi, among others, were packaged and sold with pre-installed malware.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/operating-systems/microsoft-windows/354789/microsoft-pulls-disastrous-windows-10-security-update
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020