US government subsidized Android phones found to include unremovable malware
Cheap smartphones sold in the U.S. through a government assistance program have been found to include unremovable malware.
The malware was discovered by security researchers at Malwarebytes Inc., which publicized it Thursday.
The phones are offered for sale by Assurance Wireless by Virgin Mobile via the Lifeline Assistance program, a U.S. Federal Communications Commission-funded program that offers communications services to low-income consumers. The model where the malware was found, the UMX U686CL phone made by Chinese company Unimax International Ltd., is sold to Lifeline Assistance users for $35.
There were two types of malware preinstalled on the phone. The first malicious code, a variant of the Adups malware, was found in an app called Wireless Update that comes with the phone. Adups is a Chinese company that has previously been caught collecting data, creating backdoors and developing auto-installers. The infected app itself starts auto-installing apps from the moment a user logs into the smartphone with no user consent required.
The second malware detected was found in the phone’s Settings app. The malware, designated Android/Trojan.Dropper.Agent.UMX combines both a Trojan virus and ad-serving malware.
Both sets of malware had Chinese writing in them and along with the phone itself being manufacturer in China, the origin is fairly clear. The security researchers noted, however, that it could simply “be a coincidence rather than explicit malcontent — we cannot confirm if the makers of the device are aware there is Chinese malware pre-installed.”
Malware coming pre-installed on a phone is not good to start with, but making matters worse is that it cannot be removed without disabling the phone in the process.
Erich Kron, security awareness advocate at security training company KnowBe4 Inc., told SiliconANGLE that the incident certainly illustrates the increasing concerns around supply chain management and the complexity behind it.
“Quite often manufacturers do not write all of the software needed to run the devices, but instead license software from other providers or the manufacturers of the chips themselves,” Kron explained. “This makes ensuring all of the code is secure and trustworthy a difficult task and is not just related to lower-tier providers.”
He noted that a similar issue was recently reported with Samsung, which uses software from China’s Qihoo 360 even on its top-end phones such as the Galaxy S10+, and it can’t be uninstalled.
“In the hypercompetitive world of cellular phones and electronic devices, the struggle to create the most inexpensive phones with the strongest feature set results in less security testing and will likely result in similar events in the future,” Kron said.
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.