United States government-funded Android phones contain unremovable pre-installed malware, according to a recent report by cybersecurity firm Malwarebytes.
The report, which was first published by Malwarebytes researcher Nathan Collier on January 9, alleges that the low-end Android phone UMX U686CL contains two independent pieces of pre-installed malware. According to Collier, this malware leaves the Android phone vulnerable to invasive advertising, as well to the auto-installation of apps without the user’s permission.
This comes mere days after an open letter was written to Google’s head, Sundar Pichai, which requested that the tech giant take firmer action in preventing “exploitative pre-installed software on Android devices,” especially in the case of low income users. The letter was signed by dozens of high-profile interested parties including the American Civil Liberties Union (ACLU), Amnesty International, and The Tor Project.
Android phones at risk
For many years, the US federal government has been subsidizing Android phones to low-income consumers as part of its Lifeline Assistance program, administered by the Federal Communications Commission (FCC). In this way, for example, the UMX U686CL model is sold for as little as $35 under Virgin Mobile’s Assurance Wireless program – making it a cheap and accessible option for many low income families.
The pre-installed malware was first noticed by several users of the smartphone, who brought it to the attention of Malwarebytes. After analysing the claims, the firm concluded that the two pre-installed apps in question were indeed malicious, and that they were of Chinese origin. Malwarebytes and other members of the press have subsequently contacted Assurance Wireless and Virgin Mobile for comment on the issue but have thus far received nothing in return.
The problems posed by pre-installed malware
According to Erich Kron, security awareness advocate at KnowBe4, “Whether Assurance Wireless was aware of the malware when procuring the phones or not, this certainly illustrates the increasing concerns around supply chain management and the complexity behind it.”
“Quite often manufacturers do not write all of the software needed to run the devices,” he adds, “but instead license software from other providers or the manufacturers of the chips themselves. This makes ensuring all of the code is secure and trustworthy a difficult task and is not just related to lower tier providers.”
Kron goes on to point out that a similar issue had previously been reported recently among Samsung smartphones. In this case, unremovable software from Chinese antivirus firm Qihoo 360 – which has garnered a dubious reputation in the data security industry – was alleged to have been installed on top-tier Samsung smartphones such as the Galaxy S10 Plus.
“In the hypercompetitive world of cellular phones and electronic devices,” Kron explains, “the struggle to create the most inexpensive phones with the strongest feature set results in less security testing and will likely result in similar events in the future.”
According to the Malwarebytes report, the pre-installed malware that was discovered on government-funded Android phones seems to be a variant of Adups – a piece of pre-installed malware that was found to have been covertly collecting user data back in 2016 by a Chinese company of the same name.
Similarly, to Adups, this piece of heavily obfuscated malware – called Wireless Update – runs silently in the background of the Android phone and is responsible for downloading and installing system updates. However, it also has the capacity to auto-install unwanted apps without the user’s permission. Reports from customers suggest that this auto-installation becomes incessant – installing a barrage of unwelcomed apps onto the user’s Android phone.
The second piece of pre-installed malware that was found on the UMX U686CL – referred to as Android Trojan.HiddenAds – also poses significant issues. Once it has been inadvertently loaded into memory, this pre-installed malware cannot be uninstalled without having first to “Uninstall the Settings app.” According to Malwarebytes, this process would effectively render the Android phone little more than a “pricey paper weight.”
A response falling flat
While it would seem that a tradeoff for data security does indeed exist when it comes to purchasing low-end Android phones, it would also seem that the response to this concern has so far not been adequately addressed.
According to Kron, there has been a remarkable lack of transparency and responsibility surrounding the precise origin of the pre-installed malware and how the issue can be tackled on Android phones.
“The surprising and unfortunate thing here is the response to Malwarebytes when presented with the findings,” he explains. “While it seems easy to ignore these sorts of reports in the hope that it will go away quickly, the unfortunate truth is that a poor response to an incident such as this can leave long lasting marks on an organization’s reputation.”