Government-funded, low-cost cell phones are shipping with pre-installed malware aimed at bombing users with unwanted ads, according to researchers. The UMX U686CL Android-based phone, which is made available to low-income citizens in the U.S. via the Lifeline Assistance Program for $35, uses a “Settings” app that researcher claim is actually a “trojan dropper.” According to Nathan Collier, a researcher at Malwarebytes, its function is to fetch and install other applications or malware. Unfortunately for those enrolled in Lifeline, the Settings app cannot be removed. That’s because the Settings app is essential and provides user access to the phone’s core settings. As such, if it’s uninstalled, the device becomes unusable. !(https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg) The code in question is “heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX,” Collier wrote [in a post](<https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/>) on Thursday. He added that its nuts and bolts are nearly identical to another known mobile dropper trojan, which comes in two variants called ALReceiver and ALAJobService. “The only difference between the…codes are their variable names,” according to the analysis. At their core, both droppers have an encoded string within the code that, once decoded, reveals a hidden library file named com.android.google.bridge.LibImp. Once it’s decoded (using Base64 decoding), the library is loaded into memory using DexClassLoader. And after the library is loaded into memory, the dropper fulfills its function by installing another piece of malware – in the case of UMX U686CL, it’s a known malvertising application called [HiddenAds](<https://blog.malwarebytes.com/detections/android-trojan-hiddenads-bira/>). Collier said that Malwarebytes customers have confirmed that an app called HiddenAds has suddenly appeared on their phones. After installing on a device, periodic full-screen ads will plague the user. ## Wireless Update There’s also a second concerning application pre-installed on the phone, dubbed Wireless Update. This also serves a legitimate function, receiving and installing over-the-air OS upgrades for the phone – and it does this automatically. However, it also automatically receives and installs other apps without user consent, Collier warned, making the app questionable at best. “From the moment you log into the mobile device, Wireless Update starts auto-installing apps,” he noted. “There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own.” These apps have so far been malware-free, but the functionality obviously opens the door to potential malware infections down the line, Collier said. And adding to the concern is the fact that Wireless Update’s code is identical to code used by a malware from a shady company called [Adups Technology](<https://threatpost.com/phone-maker-blu-settles-with-ftc-over-unauthorized-user-data-extraction/131679/>). “Adups is a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers,” he said. According to [previous research](<https://blog.malwarebytes.com/cybercrime/2018/10/mobile-menace-monday-top-five-scariest-mobile-threats/>), the Adups app has been seen installing HiddenAds and other trojans on victim devices in the past. And Adups the company has been in hot water before, after Android phone-maker BLU Products admitted to [sharing reams of information](<https://threatpost.com/down-the-rabbit-hole-with-a-blu-phone-infection/128390/>) with it, including the full contents of their users’ text messages, real-time cell tower location data, call and text-message logs, contact lists, and applications used and installed on devices. Wireless Update can be uninstalled, but users would be left with no security fixes. Collier pointed out that this could be a decent tradeoff. ## Who is Responsible? Looking into how the malware got there to begin with, Collier found only dead ends and a lack of response. China is where the phones are manufactured, and the dropper app’s code also appears to have been created by Chinese authors: “The more discernible variant of this malware uses Chinese characters for variable names. Therefore, we can assume the origin of this malware is China,” according to the analysis. This brings up the question of whether the dropper was injected somewhere along the supply chain during the manufacturing process in Asia, unbeknownst to the manufacturer. Google [last year reported](<https://threatpost.com/google-warns-of-growing-android-attack-vector-backdoored-sdks-and-pre-installed-apps/143332/>) an uptick in efforts by bad actors to plant potentially harmful applications on Android devices in this way. “Malicious actors increased their efforts to embed PHAs into the supply chain using two main entry points: New devices sold with pre-installed PHAs and over the air (OTA) updates that bundle legitimate system updates with PHAs,” wrote Google in its Android Security and Privacy Year in Review 2018, released last April. “The developers of pre-installed PHAs only need to deceive the device manufacturer or another company in the supply chain instead of large numbers of users, so it’s easier to achieve large-scale distribution.” Malwarebytes’ Collier said that he wasn’t able to confirm whether or not the company is aware of the pre-installed malware. As for Wireless Update, presumably the company made the choice to go with the Adups code for this feature, but again — this is not confirmed. Meanwhile, the phone is a Virgin Mobile-branded phone distributed by Assurance Wireless. Assurance Wireless is a federal Lifeline cell phone service provider, offering eligible customers phones, minutes and data. The phone is available at $35 under the government-funded program. “We informed Assurance Wireless of our findings and asked them point-blank why a U.S.-funded mobile carrier is selling a mobile device infected with pre-installed malware?” Collier said. “After giving them adequate time to respond, we unfortunately never heard back.” Threatpost reached out to Assurance Wireless and Virgin Mobile for comment and will update this post with any additional details. ## Not a New Issue Pre-installed malware and unwanted applications are not a new phenomenon, as noted. For instance, [in an investigation](<https://threatpost.com/down-the-rabbit-hole-with-a-blu-phone-infection/128390/>) of malware infections on BLU brand phones, Threatpost found that many phones came pre-installed with malware and also downloaded more malware via a third-party update tool. Consequences have been significant for some affected device manufacturers, if the malware or unwanted application is knowingly installed. For instance, Lenovo, the Chinese PC giant, came under fire in 2014 for [pre-loading the Superfish code](<https://threatpost.com/lenovo-ordered-to-pay-7-3m-in-superfish-fiasco/139560/>). That powered something called VisualDiscovery, which was meant to help shoppers by analyzing images on the web and presenting similar product offers with lower prices—a form of targeted advertising. After a major vulnerability was found in the Superfish code, backlash was swift, given that the adware was pre-installed on machines without any disclosure on the part of Lenovo. VisualDiscovery was installed on nearly 800,000 Lenovo laptops before the issue came to light, and the laptop-maker ended up paying a $7.3 million settlement. In the case of the UMX U686CL, there’s a socioeconomic disparity issue here that’s worth noting, Collier pointed out: “Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision.” _**Concerned about mobile security? **_[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) _**Top 8 Best Practices for Mobile App Security**__**, on Jan. 22 at 2 p.m. ET. **_**_Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time._** [_**Click here to register**_](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)_**.**_
Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
Lawsuit Claims Google Collects Minors’ Locations, Browsing History
Google Updates Ad Policies to Counter Influence Campaigns, Extortion
Microsegmentation and Isolation: 2 Essential Strategies in Zero-Trust Security
Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection
In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.
In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege of a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation.
Android Security Bulletin—October 2020