Connect with us

Hi, what are you looking for?


Mobile & Wireless

Threat From Pre-Installed Malware on Android Phones is Growing

[Update] Pre-installed malware on Android phones is a growing menace — so much that on Wednesday this week, Privacy International and around 50 other international NGOs (including ACLU, EFF, Amnesty and the TOR project) sent an open letter to Google demanding a stop to the habit. 

[Update] Pre-installed malware on Android phones is a growing menace — so much that on Wednesday this week, Privacy International and around 50 other international NGOs (including ACLU, EFF, Amnesty and the TOR project) sent an open letter to Google demanding a stop to the habit. 

“We urge you to use your position as an influential agent in the ecosystem to protect people and stop manufacturers from exploiting them in a race to the bottom on the pricing of smartphones,” they wrote.

Now, in an unrelated report, Malwarebytes discusses one example of this apparent ‘race to the bottom’ in a low-priced phone. Adding insult to injury, the phone in question is manufactured in China with apparently pre-installed Chinese malware, yet sold to Americans for just $35 under the government funded Lifeline Assistance program. The phone in question is the UMX U686CL sold by Virgin Mobile (Virgin Mobile US is a subsidiary of Sprint).

Contacted by SecurittyWeek, Danielle Babbington, Senior Public Relations Manager at Sprint, said the carrier was looking into the report. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” Babbington said.

The FCC declined to comment, noting that it had not yet reviewed the report. 

The pre-installed malware comprises a Wireless Update app detected by Malwarebytes as Android/PUP.Riskware.Autoins.Fota.fbcvd, and a Settings app that is malware detected as Android/Trojan.Dropper.Agent.UMX.

“From the moment you log into the mobile device,” say the Malwarebytes researchers, “Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own.” While it is possible to uninstall this app — which could potentially be used to secretly download malware — the user could miss out on critical operating system updates. “We think that’s worth the tradeoff, and suggest doing so,” says Malwarebytes.

The Settings app, however, cannot be uninstalled without converting the phone into ‘a pricey paper weight’ because it provides the dashboard from which all settings are changed. The code of this app is almost identical to two other know mobile trojan droppers, differing only in the variable names. One of these uses Chinese characters for the variable names — leading Malwarebytes to “assume the origin of this malware is China.”

Advertisement. Scroll to continue reading.

Hidden within the app is a library file named When this library is loaded into memory, it drops further malware known as Android/Trojan.HiddenAds. Malwarebytes could not reproduce this action on their test machine, but note that customers have reported that “a variant of HiddenAds suddenly installs on their UMX mobile device.”

Malwarebytes has no criticism of the phone itself. “It is not a bad phone,” say the researchers. “It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget.”

The issue is the malware, which is an escalating problem. This report was published just a day after more than 50 international NGOs wrote to Google asking for the Android company to be more proactive in ensuring their users’ security. The letter demands four urgent changes to Google’s practices. Firstly, users should be able to uninstall apps on their phone, including any background processes they might leave behind. Secondly, pre-installed apps should be subject to the same Google scrutiny as is applied to Play Store apps. Thirdly, pre-installed apps should have an update mechanism through Google Play. And fourthly, Google should refuse to certify a device on privacy grounds where manufacturers or vendors attempt to exploit users. 

“We,” say the signatories, “believe these fair and reasonable changes would make a huge difference to millions of people around the world who should not have to trade their privacy and security for access to a smartphone.”

SecurityWeek asked Malwarebytes to comment on the letter. Nathan Collier responded enthusiastically, but with one rider. The ability for users to uninstall apps could be problematic with the Virgin Mobile phone. “For other security reasons,” he said, “I think the ability to remove system apps is a bad idea.  Since we are seeing system apps like the Settings app laced with malware, the ability to remove would permanently damage the device.  However, these apps should at least be able to be disabled.  Many pre-installed malware, like Adups, you can’t even disable it.”

Elsewhere, he as very supportive, confirming the need for an update mechanism. “One of the biggest issues today,” he commented, “is that with system apps like the aforementioned Settings app, there is no solution. You should be able to easily update/replace system level malware with legitimate versions, even if generic, found on Google Play.”

*Updated with responses from Sprint and the FCC.

Related: Triada Trojan Pre-Installed on Low Cost Android Smartphones 

Related: Enterprises Infected By Pre-installed Android Malware 

Related: Raspberry Pi Gets Offer to Pre-Install Malware 

Related: Malware Found Pre-loaded on Phones Sold in Asia, Africa: Research 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.