Showing results for 
Search instead for 
Did you mean: 

General Discussions

Unremovable malware found preinstalled on low-end smartphone sold in the US Malwarebytes said it found malware pre-installed on Unimax U673c handsets, sold by Assurance Wireless (Virgin Mobile) in the US.

Article: Unremovable malware found preinstalled on low-end smartphone sold in the US | ZDNet 

Low-end smartphones sold to Americans with low-income via a government-subsidized program contain unremovable malware, security firm Malware bytes said today in a report.

The smartphone model is Unimax (UMX) U686CL, a low-end Android-based smartphone made in China and sold by Assurance Wireless, a cell phone service provider part of the Virgin Mobile group.

The telco sells cell phones part of Lifeline, a government program that subsidizes phone service for low-income Americans.

"In late 2019, we saw several complaints in our support system from users with a government-issued phone reporting that some of its pre-installed apps were malicious," Malwarebytes said in a report published today.

The company said it purchased a UMX U686CL smartphone and analyzed it to confirm the reports it was receiving.

Adups backdoor

For starters, Malwarebytes said it found that one of the phone's components, an app named Wireless Update, contained the Adups malware.

The Adups malware was discovered in 2017 by Kryptowire, and it's a malicious firmware component created by a Chinese company of the same name.

Adups provides the component as a firmware-over-the-air (FOTA) update system to various smartphone makers and firmware vendors.

The component is supposed to allow firmware vendors a way to update their code, but in 2017 the Kryptowire team discovered that Adups (the company) also had the ability to ship updates to users' phones, bypassing smartphone vendors and users alike.

Malwarebytes says that this component was currently in use on UMX devices, and was being used to install apps without the user's knowledge. By who remains unclear.

"From the moment you log into the mobile device [the UMX U686CL], Wireless Update starts auto-installing apps," the Malwarebytes team said. "To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it

just installs apps on its own.

"While the apps it installs are initially clean and free of malware, it's
important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time."

Dropper leads to adware

But Malwarebytes said there is a second dangerous component included on these phones. Researchers said they also found suspicious code in the phone's Settings app.

The app, Malwarebytes says, was tainted with what appeared to be a strain of heavily-obfuscated malware, believed to be of Chinese origin, due to the heavy use of Chinese characters as variable names.

Security researchers said this malware was coded to work as a dropper for a second-stage malware payload, a well-known adware strain known as HiddenAds.

"Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device," Malwarebytes said.


Malwarebytes researchers said they couldn't confirm that Unimax was the party that added the malware to the devices.

This might be another case where malware was added to devices by third-parties involved in a smartphone's supply chain -- while the devices travel from the phone maker to a buyer.

Malwarebytes said that while the device "is not a bad phone," the presence of the two malware-infected apps make the smartphone worthless and even dangerous to its users.

Making matters worse, the two malicious apps are unremovable.

While users could disable and uninstall the Wireless Update app, this would result in the phone missing out critical security updates for its firmware components -- which effectively makes the app unremovable, at least if you want to keep your device up to date.

On the other hand, the Settings app is unremovable in the real meaning of the word, as there is no way to remove the app, and even if you did, you wouldn't be able to manage your phone afterward.

Malwarebytes says it informed Assurance Wireless of its findings but never heard back from the company. A request for comment sent by ZDNet two days ago was also not returned.

5 Replies

The sad thing is that this keeps popping up year after year...


One study found 74% of android phones had malicious software on them


Yes and the worst part are the Cellphones that are infected via Firmware. The only way to get rid of the malware is by tossing the cellphone away and buy a new uninfected one.

In the case of the Chinese Cellphones, if you got deleted the infected app, you cellphone won't be updated anymore thus becoming insecure in time. But the infected Settings App you can't get rid of. IF you do the cellphone is inoperable thus you need to toss it in the garbage.


The update issue is an issue for a lot of phones due to Google's nonexistant security policies, leading both to a severe fragmentation of Android, and the ability for even flagship phones to become insecure in a matter of a couple of years, as security updates can only go so far when they're unable to update to the latest version of Android. Look at the Galaxy S6, for example. Some tech sites have been jumping on this for years, and even Google isn't particularly happy, but if you think of the tens of millions of phones worldwide...And the situation is even worse as you move down the manufacturer stack.

Would be nice if Android moved to a OS As A Service model like Microsoft did...


Apple is expensive but the platform is safer because apps are screened. Annual software updates are driven by new phones every September.