Researchers last week discovered Android phones subsidized through the FCC’s Lifeline Assistance program come preinstalled with malware. Removing the malware causes the device to cease to work.
The UMX U686CL (pictured above) is provided by an offshoot of the Lifeline Assurance plan offered by Virgin Mobile’s Assurance Wireless program. Both of these subsidized programs provided millions of low-income families with phone service.
Recent discovery by Malwarebytes researchers found these phones come with some nasty malware surprises. Virgin mobile claim these apps are not malicious.
The first malware (heavily obfuscated to avoid easy detection) installs adware without the permission or knowledge of the user making it impossible for the user to opt-out of this installation. The Android/Trojan.Dropper.Agent contains identical code contained within two other trojan droppers. They both contain the exact hidden library named com.android.google.bridge.liblmp.
So whats it do? The malware installs these programs in the phone’s Settings app. Once loaded into memory, the library is installed and the software calls Android/Trojan.HiddenAds. It then aggressively displays ads. If the user attempts to uninstall the Settings app it renders the phone useless.
The second surprise is something called Wireless Update. While its intent is to download and install necessary phone updates, it also installs a litany of unwanted apps without permission. The app is a variant of the 2016 China-based Adups which collected data from hundreds of thousands of low cost phones from BLU. The moment you log into the device, Wireless Updates starts to auto-install with zero consent.
There is ample online discussions complaining of annoying displayed ads and apps auto-installing without user consent. Additionally this thread discusses ads displaying on the home screen even when the user isnt browsing online.