Mr.SnaPeR" Posted January 13, 2020 Share Posted January 13, 2020 In context: If you're a member of a low-income household, there's a chance you may have heard of the US government's "Lifeline Assistance" service. Among other things, the FCC-run program provides low-cost cellphones to those who would not be able to afford them otherwise. The program certainly has the potential to do a lot of good for low-income families, but as is the case with many "free" offers, there appears to be a catch for some. According to a new report from antivirus software maker Malwarebytes, one specific Lifeline Assistance phone model, the UMX U686CL, has some nasty surprises hidden within. The phone is being sold by Assurance Wireless, a US-funded offshoot of Virgin Mobile, and it allegedly contains unremovable pre-installed malware. Malwarebytes first discovered this information in October 2019, when it began to receive numerous malicious app complaints from owners of the device. To verify these claims, Malwarebytes purchased a UMX U686CL for itself, and their findings were worrisome, to say the least. The first problematic discovery was a pre-installed app called "Wireless Update," which has been classified as "Android/PUP.Riskware.Autoins.Fota.fbcvd." Wireless Update reportedly begins auto-installing apps (without user consent) from the moment the UMX U686CL is booted up for the first time. Malwarebytes says the apps installed by Wireless Update are not harmful by themselves, but any app that auto-installs other software without so much as informing users has the potential to be shady down the line. In addition to Wireless Update, Malwarebytes found that the UMX U686CL's Settings menu is actually a "heavily-obfuscated piece of malware" known as a "Trojan Dropper" (Android/Trojan.Dropper.Agent.UMX, specifically). A quick look through Malwarebytes' virus database offers the following definition for the malware: Android/Trojan.Dropper is a malicious app that contains additional malicious app(s) within its payload. The Android/Trojan.Dropper will install the additional malicious app(s) onto an infected mobile device. On the Android OS, most often the malicious app(s) to be dropped is/are contained within the Android/Trojan.Dropper's Assets Directory. The Assets Directory is an optional directory that can be added to an APK to store raw asset files. In the case of a Mobile Trojan Dropper, it contains a malicious APK(s) to be dropped and installed. In the case of the UMX U686CL's sketchy Settings app, the malicious payload comes in the form of "Android/Trojan.HiddenAds." Another quick scan through Malwarebytes documentation doesn't reveal any information on this specific piece of malware, but similar variants, such as "Android/Trojan.HiddenAds.BiRa," allegedly display "annoying" full-screen ads on the host device's lock screen. Malwarebytes believes this malware is Chinese in origin, due to the "Chinese characters" used for variable names within its code. However, one commenter countered this claim by pointing out that these characters are not Chinese, but instead Unicode characters that aren't being displayed properly. The code in question can be seen below: Regardless of the malware's origin, its existence is still troublesome, and the problems it presents may not be ones the average user can solve. "Although we do have a way to uninstall pre-installed apps for current Malwarebytes users, doing so on the UMX has consequences," Malwarebytes claims. "Uninstall Wireless Update, and you could be missing out on critical updates for the OS. We think that's worth the tradeoff, and suggest doing so. But uninstall the Settings app, and you just made yourself a pricey paper weight. The company has provided users with a potential method for "remediating" this sort of "essential" malware, but it's not easy, and it might not work for everybody. Malwarebytes has reached out to Assurance Wireless for an explanation on this matter, but the antivirus company received no response. We will also be attempting to contact Assurance Wireless ourselves, and we'll update this article if we receive a reply (though it's a bit unlikely). Link to comment Share on other sites More sharing options...
Recommended Posts