Another Pre-installed Malware on Budgeted Smartphones Detected: Here's How to Remove Malicious...

Another Pre-installed Malware on Budgeted Smartphones Detected: Here's How to Remove Malicious Apps


Malwarebytes has just exposed yet another budget handset connected to Assurance Wireless by Virgin Mobile with the same security issues it found over six months ago. 

Assurance Wireless is part of their Lifeline Assistance program, a 1985 US initiative which subsidizes telephone services for low-income families.

Last January, preinstalled malware has been discovered bundled with the Android operating systems on the Unimax (UMX) U686CL, a low-end device sold under the said program which has been in the centre of attention after the discovery.

The predicament of this malware is that there is no way to remove the apps on the handsets, and it automatically installs other software without the owner’s knowledge.

This time, the device in question is the ANS (American Network Solutions) UL40, running Android OS 7.1.1. 

(Photo : Matam/Unsplash)
Buying cheap smartphones may save you hundred bucks, but is it worth it for your safety? Pre-installed malware has been found that can steal your information.

On Wednesday, Nathan Collier, a Malwarebytes researcher, said that the January’s report a variety of ANS phones were subject to the same issue. The researchers were able to get a sample device for investigations. It is still unclear whether the device came from the Assurance wireless, the handset can even be bought via other online stores and marketplaces. 

The UMX U686CL has two apps, the settings app, and wireless update app, which are compromised. It detects the Settings app as Downloader Wotby, a Trojan that can download apps externally. Unfortunately, cybersecurity researchers could not locate any evidence of malicious apps in a third-party store linked to the software but made sure that this doesn’t mean that it could not add malicious apps or find their way into the store later. 

The WirelessUpdate app is viewed as a Potentially Unwanted Program (PUP) that can also automatically install apps without the user’s permission. While the app still functions as an update action for security fixes and as an operating system, the software also installs four variants of HiddenAds, a Trojan family found on Android devices. 

HiddenAds is a strain of adware that barrages users with advertisements and to verify where the malware came from, Malwarebytes disabled WirelessUpdate, and then re-enabled the app. And within 24 hours, four adware strains installed. Upon further investigation, they traced the certificate back to TeleEpoch Ltd, which is registered as UMX in the United States. 

According to Collier, “We have a Settings app found on an ANS UL40 with a digital certificate signed by a company that is a registered brand of UMX,” 

“That’s two different Settings apps with two different malware variants on two different phone manufacturers & models that appear to all tie back to TeleEpoch Ltd. Additionally, thus far the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX.” he added.

However, it is unclear as to whether the vendors are at fault, or whether the malicious apps were implemented down the supply chain. After the report of U683CL’s malware issue, UMX removed the malicious apps. Malwarebytes says the company has “the utmost faith that ANS will quickly find a resolution to this issue” in the same way. 

“There are tradeoffs when choosing a budget mobile device,” Collier commented. “Some expected tradeoffs are performance, battery life, storage size, screen quality, and list of other things to make a mobile device light on the wallet. However, the budget should never mean compromising one’s safety with preinstalled malware. Period.” he added. 

How to Remove Malicious Apps

Users can observe these removal steps to stop HiddenAds. And just this week, Kaspersky researchers warned that mobile adware is becoming vicious and difficult to remove from tablets and smartphones. In 14.8% of attacks recorded by the cybersecurity company, malware or adware would defile the system partition, of which removal can lead to handset failure.

ⓒ 2018 All rights reserved. Do not reproduce without permission.