[German]Security researchers from Malwarebytes have found Malware on state-subsidized Android smartphones. The malware was pre-installed on the state sponsored devices.
Smartphones sponsored by the US states
In the USA, there are state-subsidized smartphones that are made available to financially disadvantaged citizens. The whole thing there is known as ‘Assurance Wireless’, and such devices can be obtained from Virgin Mobile, for example. This is intended to enable citizens who have few financial resources to participate in digital life.
Malware found on Android smartphones
Security researchers from Malwarebytes discovered some time ago that smartphones funded by the US state and made available to financially disadvantaged citizens had malware pre-installed on them. The ANS UL40 smartphone with Android operating system 7.1.1, which can be obtained from Virgin Mobile via Assurance Wireless, is affected.
(ANS UL40 , Source: Malwarebytes)
A user who has received such a device has provided this malware byte for analysis. Therefore, it is currently unclear whether the device is still available – which does not change the facts of the case. Just like the UMX U683CL, the ANS UL40 is also infected with a compromised Settings app and a Wireless Update app.
App Name: Einstellungen
The app contains a Trojan, but the Malwarebytes security researchers did not detect any malicious activity triggered by this infected Settings app during the analysis period of the app. However, it must be noted that the security researchers also did not spend the time on the device that a typical user would spend on a mobile device. No SIM card was installed in the device, which could have an effect on the behavior of the malware. Nevertheless, there is enough evidence that this settings app has the ability to download apps from a third-party app store.
For the Wireless Update app, the infection looks like this:
- Package Name: com.fota.wirelessupdate
- MD5: 282C8C0F0D089E3CD522B4315C48E201
- App Name: WirelessUpdate
- Detections: Three variants of Android/PUP.Riskware.Autoins.Fota
- Variants .INS, .fscbv, and .fbcv
WirelessUpdate is categorized as a PUP (Potentially Unwanted Program) riskware auto-installer that is capable of automatically installing applications without the user’s consent or knowledge. It also acts as the mobile device’s primary source for updating security patches, operating system updates, and so on. Android/PUP.Riskware.Autoins.Fota has been known to install different variants of Android/Trojan.HiddenAds – and it actually did! In fact, it automatically installed four different variants of HiddenAds, as the security researchers write in their blog post. There you can also read more details.