Android: Preinstalled malware found on subsidized US smartphones

[German]Security researchers from Malwarebytes have found Malware on state-subsidized Android smartphones. The malware was pre-installed on the state sponsored devices.


Smartphones sponsored by the US states

In the USA, there are state-subsidized smartphones that are made available to financially disadvantaged citizens. The whole thing there is known as ‘Assurance Wireless’, and such devices can be obtained from Virgin Mobile, for example. This is intended to enable citizens who have few financial resources to participate in digital life.

Malware found on Android smartphones

Security researchers from Malwarebytes discovered some time ago that smartphones funded by the US state and made available to financially disadvantaged citizens had malware pre-installed on them. The ANS UL40 smartphone with Android operating system 7.1.1, which can be obtained from Virgin Mobile via Assurance Wireless, is affected. 

(ANS UL40 , Source: Malwarebytes)

A user who has received such a device has provided this malware byte for analysis. Therefore, it is currently unclear whether the device is still available – which does not change the facts of the case. Just like the UMX U683CL, the ANS UL40 is also infected with a compromised Settings app and a Wireless Update app.

MD5: 7ADA4AAEA49383499B405E4CE0A9447F
App Name: Einstellungen
Erkennung: Android/Trojaner.Herunterladen.Wotby.SEK

The app contains a Trojan, but the Malwarebytes security researchers did not detect any malicious activity triggered by this infected Settings app during the analysis period of the app. However, it must be noted that the security researchers also did not spend the time on the device that a typical user would spend on a mobile device. No SIM card was installed in the device, which could have an effect on the behavior of the malware. Nevertheless, there is enough evidence that this settings app has the ability to download apps from a third-party app store.


For the Wireless Update app, the infection looks like this:

  • Package Name: com.fota.wirelessupdate
  • MD5: 282C8C0F0D089E3CD522B4315C48E201
  • App Name: WirelessUpdate
  • Detections: Three variants of Android/PUP.Riskware.Autoins.Fota
    • Variants .INS, .fscbv, and .fbcv

WirelessUpdate is categorized as a PUP (Potentially Unwanted Program) riskware auto-installer that is capable of automatically installing applications without the user’s consent or knowledge. It also acts as the mobile device’s primary source for updating security patches, operating system updates, and so on. Android/PUP.Riskware.Autoins.Fota has been known to install different variants of Android/Trojan.HiddenAds – and it actually did! In fact, it automatically installed four different variants of HiddenAds, as the security researchers write in their blog post. There you can also read more details.

Similar articles:
German authorities found preinstalled Malware on 4 China phones (June 2019)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

1 Response to Android: Preinstalled malware found on subsidized US smartphones

  1. P.D. says:

    Yep, same phone, same issue as January; this time it was delivered with an “Update” package.

    But, who cares? It’s phones for the low-income underclass, not important here in Orange Tiberius’s State, save to exploit and kick to the curb.

Leave a Reply to P.D. Cancel reply

Your email address will not be published. Required fields are marked *