Cheap smartphones sold in the U.S. through a government assistance program have been found to include unremovable malware.

The malware was discovered by security researchers at Malwarebytes Inc., which publicized it Thursday.

The phones are offered for sale by Assurance Wireless by Virgin Mobile via the Lifeline Assistance program, a U.S. Federal Communications Commission-funded program that offers communications services to low-income consumers. The model where the malware was found, the UMX U686CL phone made by Chinese company Unimax International Ltd., is sold to Lifeline Assistance users for $35.

There were two types of malware preinstalled on the phone. The first malicious code, a variant of the Adups malware, was found in an app called Wireless Update that comes with the phone. Adups is a Chinese company that has previously been caught collecting data, creating backdoors and developing auto-installers. The infected app itself starts auto-installing apps from the moment a user logs into the smartphone with no user consent required.

The second malware detected was found in the phone’s Settings app. The malware, designated Android/Trojan.Dropper.Agent.UMX combines both a Trojan virus and ad-serving malware.

Both sets of malware had Chinese writing in them and along with the phone itself being manufacturer in China, the origin is fairly clear. The security researchers noted, however, that it could simply “be a coincidence rather than explicit malcontent — we cannot confirm if the makers of the device are aware there is Chinese malware pre-installed.”

Malware coming pre-installed on a phone is not good to start with, but making matters worse is that it cannot be removed without disabling the phone in the process.

Erich Kron, security awareness advocate at security training company KnowBe4 Inc., told SiliconANGLE that the incident certainly illustrates the increasing concerns around supply chain management and the complexity behind it.

“Quite often manufacturers do not write all of the software needed to run the devices, but instead license software from other providers or the manufacturers of the chips themselves,” Kron explained. “This makes ensuring all of the code is secure and trustworthy a difficult task and is not just related to lower-tier providers.”

He noted that a similar issue was recently reported with Samsung, which uses software from China’s Qihoo 360 even on its top-end phones such as the Galaxy S10+, and it can’t be uninstalled.

“In the hypercompetitive world of cellular phones and electronic devices, the struggle to create the most inexpensive phones with the strongest feature set results in less security testing and will likely result in similar events in the future,” Kron said.

Image: Pixabay