FCC is supplying malware-loaded phones to low-income users

Budget handsets are pre-installed with malicious apps that leak data to Chinese hackers, report finds

A federal programme supplying cheap mobile phones to low-income US citizens has been accidentally selling handsets loaded with Chinese malware that can’t be removed.

The UMX U686CL handset, available at just $35 under the FCC’s Lifeline Assistance programme, is being distributed with pre-loaded software that creates backdoors that could potentially leak user data.

Advertisement - Article continues below

The UMX handsets, distributed through Virgin Mobile’s Assurance Wireless scheme, are bundled with an app called ‘Wireless Update’. Researchers discovered this is an offshoot of Adups, a Chinese firm known for harvesting user data and building auto-installers.

Wireless Update, incidentally, is the only way users can update the handset’s operating system.

The phone’s own Settings app, too, functions as a cleverly disguised piece of malware that cannot be removed or else the devices becomes entirely unusable. 

“Pre-installed malware continues to be a scourge for users of mobile devices,” said senior malware intelligence analyst with Malwarebytes, Nathan Collier. 

“But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behaviour by app development companies.”

“Budget should not dictate whether a user can remain safe on his or her mobile device.”

Phone manufacturers paying to install pre-loaded apps containing potentially harmful code is a worrying trend, increasingly highlighted by security experts.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Researchers highlighted their concerns in a paper last year, identifying variants of well-known malware families loaded into pre-installed apps supplied in predominately low-end range phones. 

Malwarebytes was first alerted to complaints around government-issued phones from its users in October 2019, before purchasing a UMX U686CL to investigate further.

After learning that Wireless Update was flagged with a malicious detection name, Malwarebytes informed Virgin’s Assurance Wireless scheme of the potential dangers - but did not hear back.

Wireless Update begins auto-installing apps the moment users sign into their device but doesn’t ask users for consent for any installations. While the app installs are initially malware-free, the apps are added with no notifications or attempts to seek user consent.

This arrangement, researchers argue, opens the door for malware to be unknowingly installed in future updates to any of the apps automatically added by Wireless Update.

To compound the issue, the malicious Settings app serves as the dashboard from which the phone’s settings are changed, and cannot be removed without bricking these devices. The malware also shares characteristics with other known Trojans.

Advertisement - Article continues below

The Settings app contains a string within its code that, when decoded, revealed a hidden library file. When activated, this is loaded into the device’s memory before dropping a further piece of malware known as HiddenAds.

Related Resource

Strengthen your defences against cybercrime

Cyber resilience planning for email

Download now

Collier added there’s currently no way to uninstall pre-installed apps on devices like the UMX, and doing so, in any case, would lead to dire consequences for usability.

Uninstalling Wireless Update, for example, could lead users to miss out on critical operating system patches, given it’s the only way to update the phone’s software. Removing Settings, meanwhile, would brick the phone entirely.

Although the UMX situation adds a unique dimension to phones that come with pre-installed malware, given these are supplied by the US government, it’s not entirely uncommon.

Research published in 2017 showed a plethora of Android devices, from device makers including Samsung, LG, Asus, Opp, and Xiaomi, among others, were packaged and sold with pre-installed malware.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

2 Mar 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020