Inexpensive cell phones offered through the U.S. Lifeline Assistance program are once again being infected with pre-installed malware, security researchers have found.
Nathan Collier of MalwareBytes, a low-cost provider through Lifeline Assistance, a program that subsidizes phone service and equipment for needy families. American Network Solutions' UL40 Android device running two malicious apps.
One of them is the "Settings" app, which, when removed, causes the phone to become unstable. The other was WirelessUpdate, which was the primary method of installing legitimate software updates.
The Lifeline Assistance Phone is commonly referred to as the "Obamaphone," but President Obama has no actual connection to it. The program began in 1985 during the Reagan presidency and was expanded to cell phones in 2005 during the George W. Bush presidency.
This is not the first time Collier has made such a discovery. In January, Collier also discovered malware preinstalled on the Unimax U686CL, a low-cost Android smartphone offered as part of the Lifeline Assistance scheme.
In both cases, pre-installed malware or adware embedded in the legitimate "Settings" and "WirelessUpdate" apps were able to download additional apps from the "Offload" app store to the unsuspecting user's device
Correa.
Collier found that "the infections are similar but have unique infection characteristics." This discovery was made by Malwarebytes user Rameez H. Anwar, who sent a compromised ANS UL40 for research purposes.
Embedded in the ANS UL40's configuration app is a Trojan horse called Downloader Wotby, which can install third-party apps in front of unsuspecting users.
However, in the weeks that Collier tested the phone, the configuration app did not download anything. He manually downloaded a few apps from his shopping list and verified that there was no malware, but warned that "it is not impossible that a malicious version could be uploaded at a later date."
This was not the case with WirelessUpdate. In the mere 24 hours that Collier was testing, four different apps were installed without user consent, all of which harbored the HiddenAds Android Trojan.
Again, this is nothing more than annoying adware, but only the good intentions of adware developers can prevent any of these hidden downloaders from installing something more malicious.
In his research, Collier also explored whether there was a correlation between UMX and the malicious apps found on ANS devices. And there was.
"There is a configuration app found on an ANS UL40 with a digital certificate signed by a company [called TeleEpoch] that is a registered brand of UMX," Collier said.
"As for the scoreboard, it is two different configuration apps with two different malware variants on two different phone makes & models, and they all appear to be tied to TeleEpoch Ltd," he added. So far, only two brands, ANS and UMX, have been found to have malware pre-installed in their settings apps via the Lifeline Assistance program," he said. [For users of these devices, Malwarebytes has published instructions on how to remove the WirelessUpdate app. Unfortunately, you cannot get out of the Settings app unless you wipe and completely reinstall the Android OS.
Collier concludes that "budgets should not mean compromising one's safety with pre-installed malware."
Comments