A U.S. Government-funded smartphone comes with pre-installed malware, researchers at Malwarebytes have discovered. The malware can't be removed without rendering the device unusable. The smartphone in question is the UMX U683CL and is sold as part of Virgin Mobile's Assurance Wireless program. This is a federal Lifeline Assistance program. Founded by the FCC in 1985, Lifeline is a program intended to make communication services more affordable to low-income consumers. The UMX U683CL costs only $35 through the program, featuring a Qualcomm Snapdragon 210, 1GB of RAM, 5-inch 480p LCD, 2000 mAh battery, and Android Go. It's certainly not a bad offering, but it seems that the price of affordability comes at the cost of privacy. The team at Malwarebytes found not one, but two instances of pre-installed malware on the UMX 683CL.

"Wireless Update", the return of Adups

The first application is the more minor of the two, and self-identifies as "Wireless Update". It's the only way to update the device, but it also has the capability of automatically installing apps in the background, without the user's consent. Malwarebytes identified this malware as Android/PUP.Riskware.Autoins.Fota.fbcvd, or Adups.

On a side note, the inclusion of Adups malware is actually what led to BLU's smartphones being pulled from the Amazon marketplace. BLU eventually settled with the FTC. Adups had been collecting a lot of user data, including "full-body of text messages, contact lists, call history with full telephone numbers, and unique device identifiers including the IMSI and IMEI". This data was then transmitted back home. In the case of the UMX U683CL, the app immediately begins installing applications in the background once the device is powered on and connected to the internet. The apps are free of malware thus far, but this is still entirely done without user consent. This does not mean they will be clean in the future, either.

Pre-installed and unremovable malware

But the worst comes in the form of the second application, Android/Trojan.Dropper.Agent.UMX, which is a heavily obfuscated and vital part of the system. It comes as part of the device's own settings application, so removing it would render the device unusable. Malwarebytes matched the trojan with other malware of Chinese origin thanks to shared service names, along with code that matches in every aspect apart from variable names. It also shares a hidden library called com.android.google.bridge.LibImp, which loads another trojan known as Android/Trojan.HiddenAds.WRACT. It does not come in immediately, and the researchers at Malwarebytes eventually did receive it. This new malware presents itself as a notification simply titled "Full", with no other identifying information. It's possible to uninstall it HiddenAds, although it's unknown whether or not it's gone for good once you do.

Assurance Wireless has been contacted, no response yet

To make matters worse,  the researchers at Malwarebytes contacted Assurance Wireless with their findings and asked why a US-funded device was being sold with pre-installed malware. So far, they have received no reply after giving adequate time for a response. It's further made deplorable that a smartphone aimed at those with lower incomes have to compromise on privacy, as budget should not dictate whether a consumer has a right to privacy or not. There's not really any way around it either - uninstalling "Wireless Update" prevents updates (though it's unlikely it got many anyway) while uninstalling the settings application is more or less impossible without bricking your phone. There shouldn't even need to be a choice between not having malware, or having a usable phone.

Malwarebytes was unable to confirm whether or not UMX had knowingly pre-installed malware. While the malware appears to be Chinese in origin and the device is produced by a Chinese company, it could instead just be a coincidence. Malwarebytes also makes it clear that this device isn't alone, and that they have heard of numerous reports of other budget smartphones launching with pre-installed malware as well.


Source: Malwarebytes