A phone sold by the United States government-funded Assurance Wireless comes with two malware pre-installed. The UMX U683CL is sold by the carrier for $35 via the Lifeline Assistance Program. It has been discovered to come with two malicious apps that can potentially steal user data and show ads to said users.
The malicious apps were discovered by Malwarebytes Labs who asked the carrier point-blank about them but did not receive any response.
The first malware is the Wireless Update app which is used for downloading and installing software updates on the UMX smartphone. However, the same app is also capable of auto-installing apps without explicit user permission. On further digging by the Malwarebytes team, it discovered that this app is a variant of Adups, a Chinese company that's known to collect user data using shady apps, create backdoors in mobile devices, and indulge in other unethical practices.
The Wireless Update app starts installing apps on the phone as soon as a user logs into it and it does so without any user permission. It is important to note that none of the apps it installs are malicious in nature, though there's no guarantee it might not install such apps down the line.
While the Wireless Update app can be disabled, it would end up preventing users from installing software updates on the device.
The second malware is worse, as it is hidden inside the heavily obfuscated Settings app which Malwarebytes classifies as a Trojan dropper. The malware also originated from China.
This malware will slowly infect the UMX U683CL with the HiddenAds Trojan which continuously runs in the background and displays annoying ads on the lock screen. The malware does not create an app drawer icon and displays a blank notification in the notification box to avoid being detected by unsuspecting users.
The Settings app itself cannot be disabled, but one can uninstall the HiddenAds Trojan by digging into the Settings menu or through the Malwarebytes app.
Recently, Samsung was also accused of working with a shady Chinese company for sourcing a feature for its Galaxy smartphone. It is high time that Google steps up and takes strong action against OEMs who are pre-installing shady apps and malware in their devices. A group of over 50+ organizations has also requested Google to do something about bloatware on Android and how they pose a risk to users' privacy.
Screenshots via Malwarebytes.