Another 'Obamaphone' found to contain pre-installed malware: What to do

Tinted microscope image of a coronavirus displayed on an Android phone.
(Image credit: photosince/Shutterstock)

Yet another cheap phone offered through the U.S. Lifeline Assistance program is infected with pre-installed malware, according to a security researcher.

Malwarebytes' Nathan Collier discovered that an American Network Solutions UL40 Android handset -- available at low cost through Lifeline Assistance which subsidizes telephone service and equipment for poor families -- was running two malicious apps. 

One of them was the Settings app, which would make the phone unstable if it were to be removed. The other was WirelessUpdate, the phone's main method of installing legitimate software updates.

Lifeline Assistance phones are commonly called "Obamaphones," although Obama really had nothing to do with it. The program started in 1985 during the Reagan presidency and was expanded to include mobile phones in 2005 while George W. Bush was president.

This isn’t the first time that Collier has made such a discovery. In January, he found pre-installed malware on the Unimax U686CL, another low-cost Android smartphone provided as part of the Lifeline Assistance scheme.

In both cases, the preinstalled malware or adware, built into the legitimate Settings and WirelessUpdate apps, was capable of downloading additional apps from "off-road" app stores onto the devices of unsuspecting users. 

Collier found that the “infections are similar but have their own unique infection characteristics”.  He made the discovery after a Malwarebytes user, Rameez H. Anwar, sent in a compromised ANS UL40 for research purposes.

Hiding in legit apps

The ANS UL40's Settings app embeds a Trojan called Downloader Wotby, which can install third-party apps under the nose of unsuspecting users, and has a precompiled shopping list of apps to install, including the regular Facebook app.

However, the Settings app didn't donwload anything over the weeks that Collier tested the phone. He manually downloaded a couple of the apps from the shopping list and found them free from malware, but warned, “That’s not to say that malicious versions couldn’t be uploaded at a later date.”

That wasn't the case with WirelessUpdate, which also harbored a downloader. In just 24 hours during Collier's testing, it installed four different apps without the user's consent, all of which harbored the HiddenAds Android Trojan to spam you with unwanted ads.

Again, this was just annoying adware, but only the adware developer's goodwill prevents either of these hidden downloaders from installing something much more malicious.

Correlations

In his investigation, Collier also explored whether there were any correlations between the malicious apps found on UMX and ANS devices. And there was.

“We have a Settings app found on an ANS UL40 with a digital certificate signed by a company [called TeleEpoch] that is a registered brand of UMX,” said Collier.

“For the scoreboard, that’s two different Settings apps with two different malware variants on two different phone manufactures & models that appear to all tie back to TeleEpoch Ltd.," he added. "Thus far, the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX.”

For users of these devices, Malwarebytes has published instructions on how to remove the WirelessUpdate app. Unfortunately, you're stuck with the Settings app unless you wipe and completely reinstall the Android OS.

Collier concluded that “budget should never mean compromising one’s safety with pre-installed malware.”

  • Read more: Stay protected on your mobile with the best Android VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Malware & Adware
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A laptop displaying the Chrome logo
Don't click this — malicious ads impersonating Google Chrome spreading dangerous malware
Latest in News
Sonos logo on a smart speaker
Sonos halts work on rumored super steaming device — what's next?
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 13 (#641)
HomePod with display concept render
Apple HomePod with display now rumored for late 2025 launch
The Apple Watch Series 10 on display at the device's launch in September 2024
Apple Watch sales plummet 19% as smartwatch market declines for first time
Google's Project Astra working on prototype smartglasses in an advertisement
Google just acquired this eye tracking company — hinting at the return of Google glasses
iPhone 17 Air render
iPhone 17 Air could be just 5.5mm thick — but 9.5mm when you throw in the camera bump