Phone pre-installed with ‘Chinese malware’ offered for free by US government

10 Jan 2020

Image: © TimeStopper/Stock.adobe.com

It is claimed that a US programme to provide citizens with affordable or free phones is using Android devices pre-installed with Chinese malware.

Cybersecurity company MalwareBytes has published a blog post claiming that what is installed on a phone provided through US government-supported funding is “appalling”.

Under the government-funded Lifeline Assistance programme, Virgin Mobile-owned carrier Assurance Wireless offers the UMX U686CL phone as their most budget-conscious phone option. This includes a package that comes with free data, texts and minutes.

However, MalwareBytes claimed to have identified two malware packages pre-installed on the phone, which suggest they are of Chinese origin. The first poses as an updater app named Wireless Update, the security company said, which is the only way of updating the phone’s operating system and has been found to be capable of installing apps without the user’s consent.

By digging through the code, MalwareBytes said it identified the app as a variant of Adups, a Chinese-based company accused of collecting user data, creating backdoors for mobile devices and developing auto-installers.

“While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user,” wrote Nathan Collier, MalwareBytes senior analyst.

“This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.”

The second unremovable malware package found on the UMX U686CL phone is allegedly baked into its Settings app. This means that removing it would render the phone unusable. MalwareBytes said it is an Android/Trojan.Dropper.Agent.UMX that shares characteristics with two other variants of known mobile Trojan droppers.

One of these variants is said to use Chinese characters, leading the researchers to believe the malware is of Chinese origin. Collier said that while it is possible to uninstall these pre-installed malware apps, it would mean critical security Android updates in the future would be unavailable.

An ever-present scourge

“Pre-installed malware continues to be a scourge for users of mobile devices,” he said.

“But now that there’s a mobile device available for purchase through a US government-funded programme, this henceforth raises (or lowers, however you view it) the bar on bad behaviour by app development companies.”

MalwareBytes said it attempted to warn Assurance Wireless of the malware, but received no reply, leading to its blog post. However, a spokesperson for Sprint – which owns Virgin Mobile and Assurance Wireless – told Forbes: “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause.

“However, after our initial testing we do not believe the applications described in the media are malware.”

In response to the allegations, US senator Ron Wyden has called for a Federal Communications Commission investigation.

“It is outrageous that taxpayer money may be going to companies providing insecure, malware-ridden phones to low-income families,” he said.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com