Security experts have warned that some new Android smartphones are being shipped with malware pre-installed.
Researchers at security firm Malwarebytes have discovered that a low-cost Android device popular with public sector schemes has unremoveable malware present.
What's worse is that the affected device, ANS (American Network Solutions) UL40 provided by Virgin Mobile, is offered by the US government's Lifeline Assistance program to low-income families.
- These popular Android apps were secretly scraping Facebook login details
- Keep your device safe with the best privacy apps for Android
- Uninstall these dangerous Android apps now - they could be stealing data
Android malware
During its investigation, Malwarebytes found that the ANS UL40, which runs Android 7.1.1. comes infected with a compromised Settings app and Wireless Update app.
The Settings app was a particular concern, as it has the ability to download apps from a third-party app store. As it is a required system app, allowing users can modify and alter settings on their device, it cannot be removed or deleted.
Malwarebytes found the Settings app was infected with Android/Trojan.Downloader.Wotby.SEK, which was already present in the wild. The malware code includes a list of “top apps” to download from a third-party app store, which could open up the user to malicious downloads. Malwarebytes tested a number of the apps on the list, and found them to be malware-free, but could not rule out the risk of infection at a later date.
The WirelessUpdate function, ostensibly used for downloading and updating security patches, and software updates, was called out for its ability to auto-install apps without user consent or knowledge. It was found to contain a Potentially Unwanted Program (PUP) riskware auto-installer that was known for installing various variants of adware and Trojan malware.
The update comes shortly after the Malwarebytes team also found irremovable malware on another device, the UMX U686CL phone. After investigating possible links between the two devices, the team discovered that they shared a common digital certificate, signed and linking back to a company based in the US.
The company says that the ANS UL40 appears to be currently unavailable, but still appears on some supplier websites, meaning customers could still be at risk - and should not buy the device, no matter how cheap it is.
"There are tradeoffs when choosing a budget mobile device," Malwarebytes' Nathan Collier wrote in a blog post.
"Some expected tradeoffs are performance, battery life, storage size, screen quality, and list of other things in order to make a mobile device light on the wallet. However, budget should never mean compromising one’s safety with pre-installed malware. Period."
- Our pick of the best Android antivirus app of 2020
