[Update] Pre-installed malware on Android phones is a growing menace — so much that on Wednesday this week, Privacy International and around 50 other international NGOs (including ACLU, EFF, Amnesty and the TOR project) sent an open letter to Google demanding a stop to the habit.
“We urge you to use your position as an influential agent in the ecosystem to protect people and stop manufacturers from exploiting them in a race to the bottom on the pricing of smartphones,” they wrote.
Now, in an unrelated report, Malwarebytes discusses one example of this apparent ‘race to the bottom’ in a low-priced phone. Adding insult to injury, the phone in question is manufactured in China with apparently pre-installed Chinese malware, yet sold to Americans for just $35 under the government funded Lifeline Assistance program. The phone in question is the UMX U686CL sold by Virgin Mobile (Virgin Mobile US is a subsidiary of Sprint).
Contacted by SecurittyWeek, Danielle Babbington, Senior Public Relations Manager at Sprint, said the carrier was looking into the report. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” Babbington said.
The pre-installed malware comprises a Wireless Update app detected by Malwarebytes as Android/PUP.Riskware.Autoins.Fota.fbcvd, and a Settings app that is malware detected as Android/Trojan.Dropper.Agent.UMX.
“From the moment you log into the mobile device,” say the Malwarebytes researchers, “Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own.” While it is possible to uninstall this app — which could potentially be used to secretly download malware — the user could miss out on critical operating system updates. “We think that’s worth the tradeoff, and suggest doing so,” says Malwarebytes.
The Settings app, however, cannot be uninstalled without converting the phone into ‘a pricey paper weight’ because it provides the dashboard from which all settings are changed. The code of this app is almost identical to two other know mobile trojan droppers, differing only in the variable names. One of these uses Chinese characters for the variable names — leading Malwarebytes to “assume the origin of this malware is China.”
Hidden within the app is a library file named com.android.google.bridge.LibImp. When this library is loaded into memory, it drops further malware known as Android/Trojan.HiddenAds. Malwarebytes could not reproduce this action on their test machine, but note that customers have reported that “a variant of HiddenAds suddenly installs on their UMX mobile device.”
Malwarebytes has no criticism of the phone itself. “It is not a bad phone,” say the researchers. “It feels solid in hand and runs smoothly. Sure, it’s not the fastest mobile device, but it’s a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget.”
The issue is the malware, which is an escalating problem. This report was published just a day after more than 50 international NGOs wrote to Google asking for the Android company to be more proactive in ensuring their users’ security. The letter demands four urgent changes to Google’s practices. Firstly, users should be able to uninstall apps on their phone, including any background processes they might leave behind. Secondly, pre-installed apps should be subject to the same Google scrutiny as is applied to Play Store apps. Thirdly, pre-installed apps should have an update mechanism through Google Play. And fourthly, Google should refuse to certify a device on privacy grounds where manufacturers or vendors attempt to exploit users.
“We,” say the signatories, “believe these fair and reasonable changes would make a huge difference to millions of people around the world who should not have to trade their privacy and security for access to a smartphone.”
SecurityWeek asked Malwarebytes to comment on the letter. Nathan Collier responded enthusiastically, but with one rider. The ability for users to uninstall apps could be problematic with the Virgin Mobile phone. “For other security reasons,” he said, “I think the ability to remove system apps is a bad idea. Since we are seeing system apps like the Settings app laced with malware, the ability to remove would permanently damage the device. However, these apps should at least be able to be disabled. Many pre-installed malware, like Adups, you can’t even disable it.”
Elsewhere, he as very supportive, confirming the need for an update mechanism. “One of the biggest issues today,” he commented, “is that with system apps like the aforementioned Settings app, there is no solution. You should be able to easily update/replace system level malware with legitimate versions, even if generic, found on Google Play.”
*Updated with responses from Sprint and the FCC.
Related: Triada Trojan Pre-Installed on Low Cost Android Smartphones
Related: Enterprises Infected By Pre-installed Android Malware
Related: Raspberry Pi Gets Offer to Pre-Install Malware
Related: Malware Found Pre-loaded on Phones Sold in Asia, Africa: Research