Now we possess came all the method in which thru, all over again, one other phone mannequin with pre-installed malware offered from the Lifeline Support program by technique of Assurance Wireless by Virgin Cell. This time, an ANS (American Network Choices) UL40 operating Android OS 7.1.1.
After our writing back in January—”United States authorities-funded telephones come pre-installed with unremovable malware“—we heard an outcry from Malwarebytes patrons. Some claimed that diverse ANS phone models were experiencing identical points to the UMX (Unimax) U683CL. Nonetheless, it’s very laborious to take a look at such cases with out bodily having the cell diagram in hand. That’s the reason, I would per chance perhaps no longer confidently write about such cases publicly. Luckily, we had one Malwarebytes patron committed to proving his case. Thank you to Malwarebytes patron Rameez H. Anwar for sending us your ANS UL40 for further study! Your cyber-security expertise and persistence into this case will absolutely wait on others!
Clarification of availability
To interpret, it’s unclear if the phone in save a query to, the ANS UL40, is at the second on hand by Assurance Wireless. Nonetheless, the ANS UL40 User Handbook is listed (at the time of this writing) on the Assurance Wireless web save.
Due to this truth, we are in a position to finest pick it’s composed on hand to Assurance Wireless customers. Regardless, the ANS UL40 modified into offered one day and a few customers would per chance perhaps composed be affected.
An infection varieties
Correct just like the UMX U683CL, the ANS UL40 comes infected with a compromised Settings app and Wireless Update app. Though this may per chance occasionally perhaps be right, they are no longer infected with the a similar malware variants. The infections are identical nonetheless possess their possess unfamiliar an infection characteristics. Right here’s a rundown of the infected apps.
- Bundle Title: com.android.settings
- MD5: 7ADA4AAEA49383499B405E4CE0A9447F
- App Title: Settings
- Detection: Android/Trojan.Downloader.Wotby.SEK
The Settings app is strictly what it sounds like—it is the vital system app veteran to dangle an eye fixed on the total cell diagram’s settings. Thus, eradicating it will leave the diagram unusable. For the case of the ANS UL40, it’s infected with Android/Trojan.Downloader.Wotby.SEK.
Proof of an infection is in accordance to several similarities to diverse variants of Downloader Wotby. Though the infected Settings app is heavily obfuscated, we were in a position to discovering a similar malicious code. Moreover, it shares the a similar receiver name: com.sek.y.ac; carrier name: com.sek.y.as; and exercise names: com.sek.y.st, com.sek.y.st2, and com.sek.y.st3. Some variants additionally half a text file demonstrate in its belongings directory named wiz.txt. It appears to be like to be to be a record of “top apps” to get from a third-occasion app store. Right here’s snippet of code from the text file.
To be beautiful, no malicious exercise triggered for us from this infected Settings app. We were longing for to stare some roughly notification or browser popup populated with records from the code above displayed. Sadly, that by no method occurred. But we additionally didn’t spend the trendy length of time a trendy particular person would on the cell diagram. Nor modified into a SIM card installed into the diagram, which would per chance perhaps impact how the malware behaves. Nonetheless, there may per chance be sufficient proof that this Settings app has the ability to get apps from a third-occasion app store. Right here is no longer k. That’s the reason, the detection stands.
Though unsettling, it’s necessary to point out that the apps from the third-occasion app store seem like malware-free. This modified into verified by manually downloading a couple for ourselves for prognosis. That’s no longer to recount that malicious versions couldn’t be uploaded at a later date. Nor did we test each sample. Nonetheless, we predict the sample pickle we did test holds right for diverse apps on the placement. Below those conditions, even though the ANS’s Settings app had downloaded an app from the record, it’s composed no longer as spoiled because the Settings app seen on the UMX U683CL.
- Bundle Title: com.fota.wirelessupdate
- MD5: 282C8C0F0D089E3CD522B4315C48E201
- App Title: WirelessUpdate
- Detections: Three variants of Android/PUP.Riskware.Autoins.Fota
- Variants .INS, .fscbv, and .fbcv
WirelessUpdate is categized as a Potentially Unwanted Program (PUP) riskware auto-installer that has the ability to auto-set up apps with out particular person consent or records. It additionally capabilities because the cell diagram’s most necessary offer of updating security patches, OS updates, and plenty others.
Android/PUP.Riskware.Autoins.Fota particularly is legendary for installing diverse variants of Android/Trojan.HiddenAds—and indeed it did! The truth is, it auto installed four diverse variants of HiddenAds as seen under!
- Bundle Title: com.covering.troops.merican
- MD5: 66C7451E7C87AD5145596012C6E9F9A0
- App Title: Merica
- Detection: Android/Trojan.HiddenAds.MERI
- Bundle Title: com.sstfsk.cleanmaster
- MD5: 286AB10A7F1DDE7E3A30238D1D61AFF4
- App Title: Clear Grasp
- Detection: Android/Trojan.HiddenAds.BER
- Bundle Title: com.sffwsa.fdsufds
- MD5: 4B4E307B32D7BB2FF89812D4264E5214
- App Title: Class
- Detection: Android/Trojan.HiddenAds.SFFW
- Bundle Title: com.slacken.work.mischie
- MD5: 0FF11FCB09415F0C542C459182CCA9C6
- App Title: Mischi
- Detection: Android/Trojan.HiddenAds.MIS
Payload drop verification
Now you is at risk of be wondering, “How did you test which of the two pre-installed infected system apps is shedding the payloads?” The direction of works as follows. You disable one in all them upon first and main setting up the cell diagram. In each the UMX and ANS cases, selecting which one to disable modified into easy to make a choice. That’s attributable to disabling the Settings app renders the phone unusable. So, disabling WirelessUpdate modified into the evident different in each cases. The following step in the midst of is ready just a few weeks to stare if the leisure occurs. And likely, you usually must aid this lengthy for the malware to drop payloads. If nothing occurs after just a few weeks, then it’s time to re-allow the infected system app again and launch the ready sport all the method in which thru.
The use of this direction of, we demonstrate in the case of the UMX U683CL, the Settings app modified into the offender. For the ANS UL40, after no longer seeing any dropped payload(s) for weeks, I re-enabled WirelessUpdate. Interior 24 hours, it installed the four HiddenAds variants! Caught crimson-handed, WirelessUpdate!
The tie between UMX and ANS
With our findings, we predict about some are left wondering: Is this a correlation or coincidence? All americans knows that each the UMX and ANS cell devices possess the a similar infected system apps. Nonetheless, the malware variants on the U683CL mannequin and the UL40 are diverse. As a outcome, I first and main didn’t mediate there modified into any ties between the two brands. I summed it up to be a coincidence in preference to a correlation. That is till I stumbled upon proof suggesting in another case.
The Settings app came all the method in which thru on the ANS UL40 is signed with a digital certificates with the trendy name of teleepoch. Wanting teleepoch comes up with the firm TeleEpoch Ltd in conjunction with a link to their web save. Upright there on the homepage of TeleEpoch Ltd it states, Teleepoch registered ticket “UMX” in the US.
Let’s review. Now we possess a Settings app came all the method in which thru on an ANS UL40 with a digital certificates signed by a firm that would per chance perhaps be a registered ticket of UMX. For the scoreboard, that’s two diverse Settings apps with two diverse malware variants on two diverse phone manufactures & models that seem to all tie back to TeleEpoch Ltd. Moreover, up to now the tell two brands came all the method in which thru to possess preinstalled malware in the Settings app by technique of the Lifeline Support program are ANS and UMX.
This led me to attain further study into the correlation by looking at cases in our make stronger system of diverse ANS models that would per chance perhaps also wish preinstalled malware. That’s when I came all the method in which thru the ANS L51. For the file, the L51 modified into one other mannequin being boasted as having preinstalled malware within the feedback of the UMX article in January. I came all the method in which thru that the ANS L51 had the same right malware variants because the UMX U683CL! There, within outdated make stronger tickets, modified into laborious proof of the ANS L51 infected with Android/Trojan.Dropper.Agent.UMX and Android/PUP.Riskware.Autoins.Fota.fbcvd. Driving house the triage of TeleEpoch, UMX, and ANS correlation!
Now we possess the utmost faith that ANS will like a flash salvage a resolution to this misfortune. Correct as UMX did as said in the UPDATE: February 11, 2020 half of the January writing. As a silver lining, we did no longer salvage the Settings app on the ANS to be nearly as vicious as on the UMX. Thus, the urgency is no longer as severe this time around.
For the time being, frustrated customers with the ANS UL40 can cease the reinfection of HiddenAds by utilizing this vogue to uninstall WirelessUpdate for original particular person (miniature print in link under):
Removal instructions for Adups
Warning: Be obvious to study Restoring apps onto the diagram (with out manufacturing facility reset) in the uncommon case you are going to want to revert/restore app. For occasion, even as you happen to love to revive WirelessUpdate to take a look at if there are necessary system updates.
Employ this/these repeat(s) all the method in which thru step 7 under Uninstalling Adups by technique of ADB repeat line to capture away:
adb shell pm uninstall -okay –particular person 0 com.fota.wirelessupdate
Finances would per chance perhaps composed no longer equate to malware
There are tradeoffs when selecting a budget cell diagram. Some anticipated tradeoffs are performance, battery lifestyles, storage size, cowl quality, and record of diverse things in affirm to get a cell diagram light on the wallet.
Nonetheless, budget would per chance perhaps composed by no method mean compromising one’s security with pre-installed malware. Duration.