We chanced on a mobile phone with pre-build in malware by the Lifeline Support program
Home » found  »  We chanced on a mobile phone with pre-build in malware by the Lifeline Support program
We chanced on a mobile phone with pre-build in malware by the Lifeline Support program
We have discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile.  This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.   After our writing back in January—”United States government-funded phones come pre-installed with unremovable malware“—we heard an outcry from Malwarebytes…

We contain chanced on, all over all over again, one other mobile phone mannequin with pre-build in malware provided from the Lifeline Support program by Assurance Wi-fi by Virgin Cell.  This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.  

After our writing back in January—”United States authorities-funded telephones advance pre-build in with unremovable malware“—we heard an outcry from Malwarebytes patrons.  Some claimed that various ANS mobile phone items contain been experiencing the same disorders to the UMX (Unimax) U683CL.  On the opposite hand, it’s very laborious to verify such cases with out bodily having the mobile tool in hand. For this arrangement, I might presumably perhaps perhaps no longer confidently write about such cases publicly. Fortunately, we had one Malwarebytes patron dedicated to proving his case. Thanks to Malwarebytes patron Rameez H. Anwar for sending us your ANS UL40 for additional research! Your cyber-safety expertise and persistence into this case will absolutely relieve others!

Clarification of availability

To account for, it's some distance unclear if the mobile phone in demand, the ANS UL40, is in the intervening time available by Assurance Wi-fi. On the opposite hand, the ANS UL40 User Manual is listed (at the time of this writing) on the Assurance Wi-fi internet quandary.

Attributable to this fact, we are in a position to excellent buy it's some distance unruffled available to Assurance Wi-fi customers. Regardless, the ANS UL40 was once provided at some level and some customers might presumably perhaps perhaps unruffled be affected.

An infection sorts

Appropriate admire the UMX U683CL, the ANS UL40 comes infected with a compromised Settings app and Wi-fi Update app. Even supposing this might perhaps presumably perhaps perhaps also be honest appropriate, they are no longer infected with the identical malware variants. The infections are the same but contain their pick up queer infection traits. Right here’s a rundown of the infected apps.


The Settings app is precisely what it sounds admire—it's some distance the required system app historical to modify the total mobile tool’s settings. Thus, eradicating it might perhaps presumably perhaps perhaps leave the tool unusable. For the case of the ANS UL40, it's some distance infected with Android/Trojan.Downloader.Wotby.SEK.

Proof of infection depends on several similarities to varied variants of Downloader Wotby. Even supposing the infected Settings app is carefully obfuscated, we contain been ready to fetch the same malicious code. Furthermore, it shares the identical receiver name: com.sek.y.ac; carrier name: com.sek.y.as; and task names: com.sek.y.st, com.sek.y.st2, and com.sek.y.st3. Some variants additionally section a text file chanced on in its sources directory named wiz.txt. It appears to be like to be a list of “top apps” to download from a third-occasion app retailer.  Right here’s snippet of code from the text file.

To be dazzling, no malicious task triggered for us from this infected Settings app. We contain been staring at for to uncover some extra or less notification or browser popup populated with info from the code above displayed. Unfortunately, that in no plot occurred. But we additionally didn’t disclose the favorite quantity of time a identical old user would on the mobile tool. Nor was once a SIM card build in into the tool, which might presumably perhaps perhaps influence how the malware behaves. On the opposite hand, there might be sufficient evidence that this Settings app has the flexibility to download apps from a third-occasion app retailer. Right here is no longer okay. For this arrangement, the detection stands.

Even supposing unsettling, it’s crucial to account for that the apps from the third-occasion app retailer appear to be malware-free. This was once verified by manually downloading a couple for ourselves for evaluation. That’s no longer to snarl that malicious versions couldn’t be uploaded at a later date. Nor did we verify every sample. On the opposite hand, we predict about the sample put of living we did verify holds honest appropriate for various apps on the living. Below those conditions, despite the fact that the ANS’s Settings app had downloaded an app from the list, it’s unruffled no longer as heinous as the Settings app seen on the UMX U683CL.


  • Equipment Title: com.fota.wirelessupdate
  • MD5: 282C8C0F0D089E3CD522B4315C48E201
  • App Title: WirelessUpdate
  • Detections: Three variants of Android/PUP.Riskware.Autoins.Fota
    • Variants .INS, .fscbv, and .fbcv

WirelessUpdate is categized as a Doubtlessly Unwanted Program (PUP) riskware auto-installer that has the flexibility to auto-set up apps with out user consent or info. It additionally functions as the mobile tool’s indispensable source of updating safety patches, OS updates, and many others.

Android/PUP.Riskware.Autoins.Fota in particular is thought for inserting in various variants of Android/Trojan.HiddenAds—and indeed it did! In level of fact, it auto build in four varied variants of HiddenAds as seen under!

  • Equipment Title: com.maintaining.troops.merican
  • MD5: 66C7451E7C87AD5145596012C6E9F9A0
  • App Title: Merica
  • Detection: Android/Trojan.HiddenAds.MERI
  • Equipment Title: com.sstfsk.cleanmaster
  • MD5: 286AB10A7F1DDE7E3A30238D1D61AFF4
  • App Title: Smooth Grasp
  • Detection: Android/Trojan.HiddenAds.BER
  • Equipment Title: com.sffwsa.fdsufds
  • MD5: 4B4E307B32D7BB2FF89812D4264E5214
  • App Title: Beauty
  • Detection: Android/Trojan.HiddenAds.SFFW
  • Equipment Title: com.slacken.work.mischie
  • MD5: 0FF11FCB09415F0C542C459182CCA9C6
  • App Title: Mischi
  • Detection: Android/Trojan.HiddenAds.MIS

Payload tumble verification

Now you may perhaps presumably perhaps perhaps also be wondering, “How did you verify which of the two pre-build in infected system apps is losing the payloads?” The process works as follows. You disable one of them upon at the origin setting up the mobile tool. In both the UMX and ANS cases, picking which one to disable was once easy to advance to a decision. That’s attributable to disabling the Settings app renders the mobile phone unusable. So, disabling WirelessUpdate was once the obvious different in both cases. The next circulation in the strategy is waiting just a few weeks to uncover if anything else occurs. And yes, you on occasion want to succor this long for the malware to tumble payloads. If nothing occurs after just a few weeks, then it’s time to re-enable the infected system app all over again and initiate the waiting game at some stage in.

Utilizing this process, we chanced on in the case of the UMX U683CL, the Settings app was once the offender. For the ANS UL40, after no longer seeing any dropped payload(s) for weeks, I re-enabled WirelessUpdate. Inside of 24 hours, it build in the four HiddenAds variants! Caught crimson-handed, WirelessUpdate!

The tie between UMX and ANS

With our findings, we predict about some are left wondering: Is this a correlation or twist of destiny? We know that both the UMX and ANS mobile devices contain the identical infected system apps. On the opposite hand, the malware variants on the U683CL mannequin and the UL40 are varied. In consequence, I at the origin didn’t deem there was once any ties between the two brands. I summed it as a lot as be a twist of destiny pretty than a correlation. That is till I stumbled upon evidence suggesting in every other case. 

The Settings app chanced on on the ANS UL40 is signed with a digital certificate with the frequent name of teleepoch. Searching teleepoch comes up with the firm TeleEpoch Ltd along with a hyperlink to their internet quandary. Honest there on the homepage of TeleEpoch Ltd it states, Teleepoch registered put “UMX” in the United States. 

Let’s overview. We contain a Settings app chanced on on an ANS UL40 with a digital certificate signed by a firm that can presumably perhaps perhaps also very successfully be a registered put of UMX.  For the scoreboard, that’s two varied Settings apps with two varied malware variants on two varied mobile phone manufactures & items that appear to all tie back to TeleEpoch Ltd. Furthermore, to this level the correct two brands chanced on to contain preinstalled malware in the Settings app by the Lifeline Support program are ANS and UMX.

This led me to construct additional research into the correlation by having a uncover at cases in our make stronger system of various ANS items that can presumably perhaps perhaps also contain preinstalled malware. That’s after I chanced on the ANS L51. For the document, the L51 was once one other mannequin being boasted as having preinstalled malware at some stage in the comments of the UMX article in January. I chanced on that the ANS L51 had the identical trusty malware variants as the UMX U683CL! There, within previous make stronger tickets, was once laborious proof of the ANS L51 infected with Android/Trojan.Dropper.Agent.UMX and Android/PUP.Riskware.Autoins.Fota.fbcvd. Utilizing dwelling the triage of TeleEpoch, UMX, and ANS correlation! 


We contain the utmost religion that ANS will fast fetch a resolution to this field. Appropriate as UMX did as said in the UPDATE: February 11, 2020 a part of the January writing. As a silver lining, we did now not fetch the Settings app on the ANS to be with reference to as vicious as on the UMX.  Thus, the urgency is now not any longer as severe this time around.

Within the indicate time, frustrated customers with the ANS UL40 can close the reinfection of HiddenAds by the usage of this suggests to uninstall WirelessUpdate for most unusual user (info in hyperlink under):

Elimination instructions for Adups

Warning: Guarantee to be taught Restoring apps onto the tool (with out factory reset) in the uncommon case it's some distance a need to-contain to revert/restore app.  As an illustration, must you admire to restore WirelessUpdate to envision if there are crucial system updates.

Advise this/these inform(s) at some stage in step 7 under Uninstalling Adups by ADB inform line to take:

adb shell pm uninstall -okay –user 0 com.fota.wirelessupdate

Budget might presumably perhaps perhaps also unruffled no longer equate to malware

There are tradeoffs when selecting a budget mobile tool. Some anticipated tradeoffs are efficiency, battery life, storage dimension, masks quality, and list of various issues in bellow to make a mobile tool light on the pockets. 

On the opposite hand, budget might presumably perhaps perhaps also unruffled in no plot indicate compromising one’s safety with pre-build in malware. Length.

Leave a Reply

Your email address will not be published. Required fields are marked *