Cheap Android Phones Funded By US Government Infected With Unremovable Malware [WORK]
The first is heavily obfuscated malware that can install adware and other unwanted apps without the knowledge or permission of the user. Android/Trojan.Dropper.Agent.UMX contains striking similarities to two other trojan droppers. For one, it uses identical text strings and almost identical code. And for another, it contains an encoded string that, when decoded, contains a hidden library named com.android.google.bridge.Liblmp.
Cheap Android Phones Funded by US Government Infected with Unremovable Malware
We informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back. Here's what we discovered.
As I have highlighted in this blog and blogs past, pre-installed malware continues to be a scourge for users of mobile devices. But now that there's a mobile device available for purchase through a US government-funded program, this henceforth raises (or lowers, however you view it) the bar on bad behavior by app development companies.
For years, low-income households have been able to get cheap cell service and even free smartphones via the U.S. government-funded Lifeline Assistance program. One provider, Assurance Wireless, offers a free Android device along with free data, texts and minutes.
MalwareBytes today revealed (opens in new tab) that Assurance Wireless by Virgin, which receives subsidies from the U.S. government to offer discounted cellular service to low-income Americans, sells an Android phone with "unremovable malware" installed.
In its blog post, MalwareBytes said it "informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware," but it never heard back. Assurance Wireless doesn't appear to have commented after the report's publication, either.
The phones are offered for sale by Assurance Wireless by Virgin Mobile via the Lifeline Assistance program, a U.S. Federal Communications Commission-funded program that offers communications services to low-income consumers. The model where the malware was found, the UMX U686CL phone made by Chinese company Unimax International Ltd., is sold to Lifeline Assistance users for $35.
There were two types of malware preinstalled on the phone. The first malicious code, a variant of the Adups malware, was found in an app called Wireless Update that comes with the phone. Adups is a Chinese company that has previously been caught collecting data, creating backdoors and developing auto-installers. The infected app itself starts auto-installing apps from the moment a user logs into the smartphone with no user consent required.
Anti-malware company Malwarebytes said the phone provider, Sprint's Assurance Wireless offers its most affordable Android smartphone, the Chinese-made UMX, for only $35 with free data, texts and minutes through the government support program Lifeline.
A second malicious application officially identified by Malwarebytes on Friday, which is also preinstalled on the UMX phones, was discovered in the phone's Settings app. While the settings function normally, there is a hidden malware in the settings called HiddenAds, which can infect a device with belligerent pop-up ads.
In January 2022, El Faro, a prominent Salvadoran news outlet, revealed that a majority of its staff had their phones infiltrated using Pegasus. The targeting was uncovered in an investigation conducted by Citizen Lab, and Access Now; the investigation revealed that the journalists of another 13 Salvadoran news organisations were targeted as well. Between July 2020 and November 2021, Pegasus was deployed on the phones of 22 employees of El Faro, including reporters, editors, and other staff. At the time of the targeting, the El Faro was looking into governmental corruption scandals, and the government's clandestine dealings with the country's gangs. The Salvadoran government denied responsibility for the espionage, and NSO Group declined to reveal whether the Salvadoran government was a client.
In January 2022, it was reported that Pegasus was unlawfully used by the Israeli Police to monitor citizens as well as foreign nationals who were accidentally or intentionally infected by the software. The surveillance was ordered by high-ranking police officers, and was carried out without warrants or judicial supervision. The legal basis for use of spyware against citizens is disputed. The police had allegedly targeted civilians not suspected of any crime, including organisers of antigovernmental protesters, mayors, anti-LBGT parade activists, employees of government-owned companies, an associate of a senior politician, and former government employees. In one case, it was alleged that police targeted an activist who was not suspected of a crime, allegedly to gather information about the activist's extra-marital affairs and use it as leverage.
In June 2020, an investigation by Amnesty International alleged that Moroccan journalist Omar Radi was targeted by the Moroccan government using the Israeli spyware Pegasus. The rights group claimed that the journalist was targeted three times and spied on after his device was infected with an NSO tool. Meanwhile, Amnesty also claimed that the attack came after the NSO group updated their policy in September 2019.
According to revelations from July 2021, Morocco had targeted more than 6,000 Algerian phones, including those of politicians and high-ranking military officials, with the spyware. The Algerian government subsequently severed diplomatic relations with Morocco in August 2021, citing alleged Moroccan deployment of Pegasus against Algerian officials as one of the "hostile actions" that undergirded the decision.
On 24 September 2021, The Guardian reported that the telephone of Alaa al-Siddiq, executive director of ALQST, who died in a car accident in London on 20 June 2021, was infected with the Pegasus spyware for 5 years until 2020. Citizen Lab confirmed that the Emirati activist was hacked by a government client of Israel's NSO Group. The case represented a worrying trend for activists and dissidents, who escaped the UAE to live in the relative safety, but were never out of the reach of Pegasus.
That is obviously a serious vulnerability, and Malwarebytes researchers found that Wireless Update was auto-installing apps without user content from the get-go. While scans of the apps installed reveal they are initially clean, the cybersecurity firm points out that malware could easily be distributed to the phones via any future updates to these apps, all without the user knowing about the installations.
The issue is not limited to this particular phone or the Lifeline program, however. Cheap smartphones from numerous Chinese companies have been found to come pre-installed with malware in recent years, and as this story clearly demonstrates, things have only become even more dire on the lower end of the smartphone space.
The US government has painted the image of a Chinese government that will use every trick in the book to spy both on its own citizens as well as other countries. The latter can come in the form of smartphones with spyware, which is one of the accusations it hurled at Huawei. It is almost ironic, then, that smartphones that the US government itself has funded to sell at an affordable price do exactly that and, unfortunately, there is no way to get rid of these malware.
Both malware come from China as does the UMX phone itself. It's probable that neither Virgin Mobile nor the US government was aware of these facts, which is still ironic given the paranoia around Chinese-made phones. As Malwarebytes reports, UMX isn't alone in pre-installing unremovable malware on phones and things could actually be getting worse as time goes by. 350c69d7ab