'Obamaphones' come preloaded with malware

White smartphone displaying skull and crossbones on red screen background.
(Image credit: Aaban/Shutterstock)

A cheap Android phone subsidized for low-income Americans by the federal government comes preloaded with malware, according to cybersecurity firm Malwarebytes.

The phones are made by Unimax, a Chinese company. Malwarebytes found that an updater app called Wireless Update preloaded on the Unimax UMX U686CL model contains Adups, a notorious Chinese adware strain that can install more apps without the user's permission. 

That's already pretty bad, but at least the Wireless Update app can be uninstalled, and AdUps generally only installs more adware. Much worse is the fact that the Settings app on the phones includes a hidden "dropper" Trojan similar to known dangerous malware strains -- and you can't remove the Settings app without making the phone unstable.

From danger to desk accessory

"Uninstall Wireless Update, and you could be missing out on critical updates for the OS. We think that's worth the tradeoff," wrote Malwarebytes' Nathan Collier in a company blog post. "But uninstall the Settings app, and you just made yourself a pricey paperweight."

The phones were apparently sold in the United States by Assurance Wireless, a subsidiary of soon-to-be-shuttered Virgin Mobile, as part of a federal program to provide telephones at low cost to people who can't otherwise afford phone service. The Unimax UMX U686CL did not appear on the Assurance Wireless website as of Friday morning, but a model called the Unimax UMX U683CL is still available.

Such subsidized phones are popularly referred to as "Obamaphones," even though the program, officially called Lifeline Assistance, started in 1985 during the Reagan administration. In 2005, while George W. Bush was president, the program expanded to mobile phones.

Collier wrote that Assurance Wireless sells the Unimax UMX U686CL to Lifeline Assistance recipients for $35, but the Assurance Wireless website implies that many phones are provided for free.

What to do

If you own a Unimax UMX U686CL, it's best to just turn it off and get a new phone. Unimax phones aren't the only brand sold as part of Lifeline Assistance. Assurance Wireless offers more than a dozen other models, including two other Unimax phones, and many other companies sell Lifelife Assistance phones, including AT&T and Verizon

Assurance Wireless parent company Virgin Mobile is owned by Sprint, which told Ars Technica: "We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware."

Ironically, Collier wrote, the UMX U686CL is otherwise pretty good for a phone that normally retails for $35.

"It is not a bad phone. It feels solid in hand and runs smoothly," wrote Collier. "Sure, it's not the fastest mobile device, but it's a fully capable smart phone. In general, without the malware, this device is a good option for anyone on a budget."

Cheap Android phones made by off-brand Chinese companies are notorious for shipping with adware and, occasionally, malware. We've documented nearly half a dozen instances of this in the past several years. 

As always, our advice remains: Don't buy cheap Chinese phones, and on any Android phone, make sure you're running one of the best Android antivirus apps.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.