At the beginning of this year, Malwarebytes experts said they found a preinstalled malware in budget smartphones manufactured by Unimax.
Then the malware was found in two applications preinstalled on Unimax (UMX) U686CL devices, which are offered to low-income Americans through a special government-sponsored Lifeline program (such smartphones cost only $ 35). These Android devices are made in China and sold by Assurance Wireless, a mobile service provider in the Virgin Mobile group.
So, one of the components of the device, the Wireless Update application, contained the Adups malware. Another suspicious code was found in the Settings application. According to the researchers, the application was infected with some kind of highly obfuscated malvari, presumably of Chinese origin. Apparently, this was the dropper of the famous advertising malware HiddenAds.
In January, it was emphasized that both malicious applications could not be removed. Although users could get rid of the Wireless Update application, because of this, the phone stopped updating and missed critical security updates for its firmware.
Now Malwarebytes experts discovered another budget phone with similar security issues is the ANS (American Network Solutions) UL40 running Android 7.1.1. The fact is that after the publication of the January report, many users told researchers that something was wrong with their ANS devices.
Analysts managed to get the ANS UL40 model for testing and made sure that the users were right. It is currently unclear whether Assurance Wireless is still selling these devices, but problem smartphones can be purchased at other online stores and on trading floors.
As in the case of the UMX U686CL, two compromised applications were found on the ANS UL40 smartphone: Wireless Update and Settings. But it turned out that in this case, these applications are infected with another malware.
So, in the Settings application, the Downloader Wotby Trojan was detected, capable of downloading additional applications from the outside to the victim’s device. However, the researchers did not find any evidence of the presence of malicious applications in a third-party store associated with this software, but this does not mean that they could not appear later.
In turn, the Wireless Update was noted by researchers as a potentially unwanted program (Potentially Unwanted Program, PUP), which is also able to automatically install additional applications without permission or user knowledge. So, the application secretly installed at least four different versions of the HiddenAds advertising malware on victims' devices.
Further research showed that the ANS L51 model also came with preinstalled malware, and the malware was the same as in the UMX U683CL.
Since infection on UMX and ANS devices is different, the researchers tried to figure out what connects these brands. The common denominator was the use of a digital certificate used to sign the ANS Settings application. This certificate was traceable to TeleEpoch Ltd, which is registered in the United States as UMX.
“We have the Settings application on ANS UL40 with a digital certificate signed by a company that is a registered UMX brand,” experts say. – That is, there are two different Settings applications, with two different variants of the malware, for two different models of smartphones from two different manufacturers, and, apparently, all this is connected with TeleEpoch Ltd. In addition, at the moment, only two brands distributed pre-installed malware in the Settings application through the Lifeline Assistance program. These are ANS and UMX. ”
However, it is still unclear whether the manufacturers are to blame for what is happening, or whether the malware got into the devices due to compromise of the supply chain.
In January 2020, shortly after the publication of the Malwarebytes report, UMX developers safely got rid of the malware on their devices. Researchers are now writing that ANS is likely to find a solution to the problem very quickly and do the same.
“When choosing a budget mobile device, compromises are inevitable. Some quite obvious trade-offs are performance, battery life, storage size, screen quality, and much more, so the mobile device doesn’t hit the wallet so much. However, budgeting should in no case mean compromising security (user) with a pre-installed malware. And the point, ”the experts summarize.