U.S. Government Subsidized 'Lifeline' Android Phones Riddled With Pervasive Malware

UMX Phone Android Malware
A government program designed to help low income individuals own a smartphone might be dealing participants more than they bargained for. Or more specifically, security researchers warn that the government-subsidized smartphone provided by Virgin Mobile's Lifeline Assurance Wireless program contains multiple instances of malware.

At the heart of the controversy is the Unimax (UMX) U686CL. It is a low-end Android device that is said to cost just $35 to qualifying participants, though at the time of this writing, I can't find the handset at the Assurance Wireless online store. The next closest model is the Unimax U683CL, listed for $39.

Researchers at Malwarebytes say they obtained the U686CL to investigate numerous complaints in its support system from users claiming some of the preinstalled apps were malicious. And that's exactly what the researches claim to have found themselves.

"The first questionable app found on the UMX U686CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent," the researches noted.

According to Malwarebytes, the app is a variant of Adups, a China-based company it says was caught collecting user data, creating backdoors on affected mobile devices, and developing auto-installers. Part of the concern by Malwarebytes is that it starts automatically installing apps as soon a users logs into the mobile device, without their consent.

"While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time," the researchers say.

The other part of the concern is that the only recourse is to uninstall the updater. However, that means users could miss out on critical security patches and other goodies. In other words, choose your poison.

In addition, Malwarebytes says the phone's Settings app is malicious as well, as it "functions as a heavily-obfuscated malware" that the firm detects as a Trojan dropper capable of fetching and installing a payload. This one also traces back to China, the researchers say.

"Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device," the researchers noted.

Sprint Refutes Claim Malware Exists On Virgin Mobile's Subsidized Unimax U686CL Android Phone

There is some debate as to whether these findings constitute the malware label, as opposed to PUPs (potentially unwanted programs). According to Sprint, its own testing has not uncovered any malware on the U686CL.

"We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware," Sprint told Arstechnica.

Regardless, Malwarebytes recommends U686CL owners to uninstall the Wireless Update app, even though it means they could be missing out on critical security updates.

"We think it's worth the tradeoff and suggest doing so," the company says.

Thumbnail/Top Phone Image Source: Malwarebytes (Nathan Collier)