Cheap phones that carry factory viruses

While acquiring a cheap mobile phone in the United States can be a great advantage, experts point out how necessary it is to ensure that this quality is not a reflection of the low security standards offered by their software.

The reason behind this suggestion lies in the discovery made in January by a group of cybersecurity researchers from Malwarebytes related to immovable malware installed on the Android operating system of a device. Unimax (UMX) U686CL low-end.

The equipment was marketed by the company Assurance Wireless as part of Lifeline Assistance, an American program established in 1985 that manages the subsidy of telephone services for low-income families. It detected applications that had been installed in the background without the user’s consent and that could not be removed.

However, this has not been the only mobile phone model that has manifested this type of problem.

That’s right, Malwarebytes has discovered the same flaw present in the Android 7.1.1 system of the model ANS (American Network Solutions) UL40.

In this sense, Nathan Collier, a Malwarebytes researcher, has stated that, following the report made by the company in January, there have been complaints from followers who stated that they found traces of malware present in a variety of models of ANS mobile devices.

The investigators proceeded to verify the accusations with the ANS UL40 model, of which they do not know if it is still for sale directly by Assurance Wireless. However, the user manual for the equipment is displayed on the seller’s website and the model can still be purchased through other online stores.

As with the UMX U686CL mobile device model, two applications were found: one for configuration and one for wireless updates.

Characteristics and action of malware

In detail, it was known that the configuration application corresponds to a Trojan named Wotby Downloader, which may have the ability to download applications externally. However, the researchers had not detected any signals related to the installation of malware from a third-party store linked to the software, although they did not rule out that they could be installed later.

For its part, the other harmful application, WirelessUpdate It is considered a potentially unwanted program (PUP) programmed to enable automatic installation of applications without user permission or consent.

Although the application acts as an aerial updater to carry out security corrections and operating system updates, the software also performs the installation of 4 versions of HiddenAds, a group of Trojans that affect Android mobile phones and constitute a strain of adware that saturates the device with advertisements.

In an attempt to detect the source of the malware, the Malwarebytes team disabled WirelessUpdate for a period of 24 hours, reactivating it later. After time it was found that 4 varieties of adware had been installed in the background.

Given the differences in the malware detected on the UMX and ANS mobile device models, the researchers were determined to figure out whether there was a possibility that there was any link between the brands.

In the end, the team managed to find that both brands they used the same digital certificate, which represents the firm of the ANS configuration application registered under the name TeleEpoch that, going further in the investigations, led to TeleEpoch Ltd., registered as UMX in the United States.

In reference to this discovery, Collier stated:

We have a Configuration application found on an ANS UL40 with a digital certificate signed by a company that is a registered trademark of UMX. […] They are two different configuration applications with two malware variants in two different manufacturers and phone models that seem to be related to TeleEpoch Ltd. Also, so far the only two brands that have pre-installed malware in the Settings section through the Lifeline Assistance program. they are ANS and UMX.

After Collier’s exhaustive analysis, it was concluded that both the mobile device model ANS L51 and the UMX U686CL had been infected by the same malware.

Despite these results, it is still unclear whether the malware was implanted on mobile devices by vendors or in the supply chain.