MalwareBytes today revealed (opens in new tab) that Assurance Wireless by Virgin, which receives subsidies from the U.S. government to offer discounted cellular service to low-income Americans, sells an Android phone with "unremovable malware" installed.
The phone in question, the UMX U686CL, is said to cost just $35 from Assurance Wireless. (We couldn't find the device on the Assurance Wireless website, although we did find the UMX U683CL.) Assurance Wireless receives U.S. funds via the Lifeline program that offers discounted phone and broadband access to people who need it.
MalwareBytes said the UMX U686CL came with an app called "Wireless Update" pre-installed. Although the app does allow people to update the phone's software, it can also be used to install other apps without the owner's permission and MalwareBytes said it's actually a variant of the rightly maligned Adups software for Android.
Adups was criticized in 2016 and 2017 (opens in new tab) for secretly collecting user data via pre-installed apps that can't be removed without creating problems for the host device. In this case, Wireless Update is said to start installing apps the moment someone logs into the device, "with zero notification or permission required from the user."
But that's actually just the start of the UMX U686CL's problems. MalwareBytes said there's another piece of malware pre-installed on the device, and that one can't be removed without rendering the phone unusable. The company explained:
"It’s with great frustration that I must write about yet another unremovable pre-installed malicious app found on the UMX U686CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.
Android/Trojan.Dropper.Agent.UMX shares characteristics with two other variants of known mobile Trojan droppers. The first characteristic is that it uses the same receiver and service names. The receiver name ends with ALReceiver and the service name ends with ALAJobService. These names alone are too generic to make a solid correlation. But, coupled with the fact that the code is almost identical, and we can confidently confirm a match."
MalwareBytes noted that the UMX U686CL isn't the only budget smartphone that comes with malware pre-installed. The security company said it only expects that problem to get worse, too, and it's hard not to wonder how many of these devices escape scrutiny just because they're made for people without money to spare.
In its blog post, MalwareBytes said it "informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware," but it never heard back. Assurance Wireless doesn't appear to have commented after the report's publication, either.