‘Undeletable’ Malware Shows Up in Yet Another Android Device

pre-installed malware undeletable android

Researchers have found trojans and adware in preinstalled apps on a low-cost device distributed by the government-funded Lifeline Assistance Program.

Security researchers have identified yet another Android-based mobile device available through the government-funded Lifeline Assistance Program pre-loaded with malware, a discovery adding evidence to the disturbing trend of smartphones infected with undeletable malicious code upon purchase.

Hard on the heels of research exposing the prevalence of pre-installed adware on Android devices, researchers at Malwarebytes Labs found an American Network Solutions (ANS) UL40 device running Android OS 7.1.1, preloaded with compromised Settings and Wireless Update apps.

According to a report by senior malware intelligence analyst Nathan Collier, each of the malware variants has “their own unique infection characteristics,” he said.

The phone is distributed by the Lifeline program via Assurance Wireless by Virgin Mobile. It’s not clear whether the device is still available, but researchers found its user manual available on the Assurance Wireless website, Collier said. At the time of this writing, however, that website was not available.

The Lifeline Assistance Program provides people with lower incomes in the United States access to mobile phone services and devices. Curiously, the malware that researchers found on the UL40 device is the same as the malicious apps that Malwarebytes researchers discovered on the Unimax Communications U683CL Android device in January. That device also is distributed via the program, and the issue was later resolved, researchers said.

The UL40 device analyzed by Malwarebytes came with a preinstalled trojan file: Android/Trojan.Downloader.Wotby.SEK. It’s installed in the device’s Settings app, which as its name suggests, is required to control all of the device’s settings. It is thus undeletable, as to remove it would render the device useless, Collier said.

While it was not immediately obvious that the trojan was present on the device, researchers were able to detect it given its similarity to another malware downloader.

“Proof of infection is based on several similarities to other variants of Downloader Wotby,” Collier explained. “Although the infected Settings app is heavily obfuscated, we were able to find identical malicious code. Additionally, it shares the same receiver name: com.sek.y.ac; service name: com.sek.y.as; and activity names: com.sek.y.st, com.sek.y.st2, and com.sek.y.st3.”

The app did not trigger any malicious activity when researchers analyzed the device, which they expected; however, the smartphone they examined also did not have a SIM card installed, which also could affect how the malware behaves, he said.

“Nevertheless, there is enough evidence that this Settings app has the ability to download apps from a third-party app store,” he wrote. “This is not okay.”

The other malware variant came preinstalled in the UL40’s Wireless Update app, which functions as the device’s main way of updating security patches, the operating system and other apps.

Wireless Update on the device contained the Android/PUP.Riskware.Autoins.Fota malware, which installed four different variants of the adware Android/Trojan.HiddenAds, upon examination by researchers, Collier reported. After installing on a device, periodic full-screen ads seemingly unaffiliated with whatever apps are running will plague the user.

Malwarebytes has notified ANS of the situation and have the “utmost faith” that the company will “quickly find a resolution to this issue,” he added.

In the meantime, researchers offered a workaround to stop the UL40 device’s Wireless Update HiddenAds infection by uninstalling the app using a similar method Malwarebytes already created to remove the adware Adups from Android devices.

Lifeline Connections

While researchers initially believed there was no connection between the pre-loaded infections on the UMS and ANS mobile devices, evidence has emerged that they could be connected through a common company called TeleEpoch Ltd, Collier reported.

“The Settings app found on the ANS UL40 is signed with a digital certificate with the common name of ‘telepoch,'” he wrote. “Searching ‘telepoch’ comes up with the company TeleEpoch Ltd., along with a link to their website. Right there on the homepage of TeleEpoch Ltd. it states, ‘Teleepoch registered brand UMX’ in the United States.'”

There also is evidence that other devices being distributed by the Lifeline Assistance Program also may have the same issue, though Malwarebytes’ investigation is currently inconclusive, Collier added.

Research earlier this month suggests these types of pre-installed infections on Android may be a common occurrence. Research by Kaspersky Labs found that many Android devices — especially low-cost devices — harbor pre-installed default applications that are undeletable, providing a way for malware to hide and persist on the device using a system-partition infection.

“Unfortunately, if a user purchases a device with such pre-installed advertising, it is often impossible to remove it without risking damage to the system,” Kaspersky researcher Igor Golovin told Threatpost. “In this case, all hopes rest on enthusiasts who are busy creating alternative firmware for devices. But it’s important to understand that reflashing can void the warranty and even damage the device.”

He added, “I advise users to look carefully into the model of smartphone they are looking to buy and take these risks into account. At the end of the day, it is often a choice between a cheaper device or a more user-friendly one.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail. 




Suggested articles