Security researchers from Malwarebytes found pre-installed malware on UMX U683CL handsets. The phones are made under the Lifeline program to low-income consumers for Affordable Communications.
Multiple users reported to Malwarebytes that HiddenAds suddenly get installed on their UMX mobile phone, so the company purchased a UMX U683CL for further analysis.
Malware Comes Pre-Installed
The UMX U683CL phones offered by Assurance Wireless and it cost only $35 under the government-funded program.
Once the user logs into the device a questionable app named Wireless Update, starts auto-installing apps without user consent. It doesn’t notify users or request any permission to install apps, it just installs the apps on its own.
A malicious app detected as Android/PUP.Riskware.Autoins.Fota.fbcvd get’s installed during the update process. The Agent is heavily obfuscated and it is a vital part of the system. It is a variant of Adups malware.
It is a malicious firmware that comes preinstalled on the devices and it has system-level rights, Malwarebytes able to confirm the firmware presence on the phones.
“It’s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX.”
“The more discernible variant of this malware uses Chinese characters for variable names. Therefore, we can assume the origin of this malware is China.”
The Trojan agent downloads another piece of the malware known as HiddenAds. The malware strains display aggressive ads and it is hard for an end-user to find which app displaying the ads.
Malwarebytes informed Assurance Wireless about their findings of the devices with pre-installed, but Assurance Wireless didn’t respond.
To note the UMX mobile device is made by a Chinese company, it’s unclear who installed the malware as several companies involved in the device supply chain between device manufacturer to the buyer.
There is no current solution, uninstalling the wireless Update may lead to missing out critical OS updates.
Not just pre-installed, but unremovable
It’s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX.
Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.
Android/Trojan.Dropper.Agent.UMX shares characteristics with two other variants of known mobile Trojan droppers. The first characteristic is that it uses the same receiver and service names. The receiver name ends with ALReceiver and the service name ends with ALAJobService. These names alone are too generic to make a solid correlation. But, coupled with the fact that the code is almost identical, and we can confidently confirm a match.
The only difference between the two codes are their variable names. The more discernible variant of this malware uses Chinese characters for variable names. Therefore, we can assume the origin of this malware is China.
Variant of malware with Chinese variable names
The second characteristic it shares is containing an encoded string within the code. Decoding this string reveals a hidden library file named com.android.google.bridge.LibImp.
Decoded string with
com.android.google.bridge.LibImp
Let’s take some time to look at how the code flows while decoding com.android.google.bridge.LibImp. It first grabs the encoded string and decodes using Base64 decoding.
Encoded string
Base64 decoding
It then loads the decoded library into memory using DexClassLoader.
DexClassLoader loading decoded string
After the library is loaded into memory, it then drops another piece of malware known as Android/Trojan.HiddenAds.
Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device.
No current resolution
Although we do have a way to uninstall pre-installed apps for current Malwarebytes users, doing so on the UMX has consequences. Uninstall Wireless Update, and you could be missing out on critical updates for the OS. We think that’s worth the tradeoff, and suggest doing so.
But uninstall the Settings app, and you just made yourself a pricey paper weight. We do offer an attempt to remediate such pre-installed malware in our blog: The new landscape of pre-installed mobile malware: malicious code within. See section: Attempting to remediate.
Pre-installed malware getting worse, as foreshadowed
As I have highlighted in this blog and blogs past, pre-installed malware continues to be a scourge for users of mobile devices.
But now that there’s a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behavior by app development companies.
Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision at Malwarebytes.
Final words on UMX U683CL
Having an actual UMX U683CL in my hands, I can tell you it is not a bad phone. It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget.
It’s important to realize that UMX isn’t alone. There are many reports of budget manufactures coming pre-installed with malware, and these reports are increasing in number. Although I don’t have the answer to this widespread issue, I can say that US citizens using the Lifeline Assistance Program and many others on a tight budget deserve more. Stay safe out there.
Correction: An earlier version of this blog listed the UMX model as U686CL. The correct model is UMX U683CL. We apologize for the confusion.
