Cybercrime , Endpoint Security , Fraud Management & Cybercrime
Malware Found Pre-Installed on Low-Cost Android SmartphonesPhones Sold Through US Government-Subsidized Program
For the second time this year, security researchers have found malware embedded in low-cost Android smartphones distributed through a U.S. government program, security firm Malwarebytes reports.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
In this latest case, Malwarebytes analysts found the malware embedded in the "settings" feature of the Android smartphone making it nearly impossible to detect or remove from the devices, according to a new research report.
The Malwarebytes researchers identified the malware-laced phone model as an American Network Solutions UL40 smartphone running the 7.1.1 Version of the Android operating system. The ANS devices and other low-cost phones are distributed through the Lifeline Assistance Program, which is sponsored by the U.S. Federal Communications Commission and uses Assurance Wireless by Virgin Mobile as one of the carriers.
Malwarebytes obtained an infected ANS UL40 smartphone and studied the malware embedded in the device, according to the report. The analysts note that it's unclear whether this particular version of the phone is still for sale through Assurance Wireless, although the researchers found a copy of the instruction manual online.
But some e-commerce websites are still selling certain models of the ANS UL40, the researchers say.
It's likely that these devices continue to carry the malware because trying to remove the malicious code from the "settings" feature would render the phone inoperable, Nathan Collier, a senior malware intelligence analyst at Malwarebytes, notes in the report.
Spokespersons for American Network Solutions and Assurance Wireless could not be immediately reached for comment.
In January, Malwarebytes found that another low-cost smartphone - the Unimax 7686CL - that was available through the Lifeline Assistance program also was infected with malware, ZDNet reported.
As with the Unimax U686CL, the malware in the ANS UL40 is embedded in both the "settings" and "wireless update" features, according to Malwarebytes. But two phones do not carry the same malware, the researchers say.
The researchers found a Trojan in the “settings" feature of the ANS UL40 smartphone, but they could not determine the malware’s exact function. The malware is heavily obfuscated, which makes it difficult to find within the devices, they note. When the researchers located the malware, it did not appear to be performing any malicious activities.
The ANS UL40 examined by Malwarebytes did not contain a SIM card, causing the researchers to speculate that this might be why the Trojan was not performing any malicious activities.
"We also didn’t spend the normal amount of time a typical user would on the mobile device," Collier says.
The malware that the researchers found in the "wireless update" feature, which allows the device to receive over-the-air updates to the operating system or apps, was identified as a Potentially Unwanted Program, or PUP, that seems to serve up unwanted ads to the user, according to the report.
Unlike the Trojan embedded in the "settings" feature, the malware residing in the "wireless update feature" could be removed without harming the device, the Malwarebytes researchers determined. This required a workaround that involved removing and then reinstalling the “wireless update” feature.
The Malwarebytes researcher team could not draw a definitive conclusion concerning why two types of smartphones sold through the same program would have malware installed in similar ways. It's also not clear why someone would target a program aimed at sending low-cost phones to low-income individuals.
"There are tradeoffs when choosing a ‘budget’ mobile device,” Collier says. “Some expected tradeoffs are performance, battery life, storage size, screen quality and a list of other things in order to make a mobile device light on the wallet. However, ‘budget’ should never mean compromising one’s safety with pre-installed malware."