Pre-Installed malware spotted on other Android phones sold in US

Pierluigi Paganini July 10, 2020

Researchers from Malwarebytes have found yet another phone with pre-installed malware via the Lifeline Assistance program sold in the United States.

Researchers at Malwarebytes have found malware pre-installed on smartphones sold in the United States, this is the second time as documented in a report published in January.

In January, Malwarebytes researchers discovered that the UMX U686CL phone was sold with pre-installed malware as part of the government-funded Lifeline Assistance program by Virgin Mobile.

The phone was being shipped to users with two malicious malware masqueraded as Wireless Update application and a Settings app respectively.

Now, the ANS (American Network Solutions) UL40 running Android 7.1.1. phone model provided through the Lifeline Assistance program was found with pre-installed malware.

“We have discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile. This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.” reads the post published by Malwarebytes.

“To clarify, it is unclear if the phone in question, the ANS UL40, is currently available by Assurance Wireless. However, the ANS UL40 User Manual is listed (at the time of this writing) on the Assurance Wireless website.”

Like the UMX U686CL model, also the ANS UL40 comes with malicious programs masquerades as Settings and Wireless Update apps, but experts noticed that the malware families involved in the two cases are different.

The Settings app hides the Android/Trojan.Downloader.Wotby.SEK, while Wireless Update would fetch three variants of Android/PUP.Riskware.Autoins.Fota.

WirelessUpdate is classified as a Potentially Unwanted Program (PUP) riskware auto-installer that could auto-install apps without user knowledge. The app also acts to update the software running on the phone.

Experts noticed that the digital certificate used for the Settings app on ANS UL40 is has the common name of teleepoch, where TeleEpoch Ltd is the company that registered the brand “UMX” in the United States.

“Let’s review. We have a Settings app found on an ANS UL40 with a digital certificate signed by a company that is a registered brand of UMX. For the scoreboard, that’s two different Settings apps with two different malware variants on two different phone manufactures & models that appear to all tie back to TeleEpoch Ltd.” continues Malwarebytes. “Additionally, thus far the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX,”

Researchers also discovered that the ANS L51 phone was delivered with pre-installed malware, the same family that was spotted on the UMX U683CL.

“There are tradeoffs when choosing a budget mobile device. Some expected tradeoffs are performance, battery life, storage size, screen quality, and list of other things in order to make a mobile device light on the wallet.” concludes the post. “However, budget should never mean compromising one’s safety with pre-installed malware. Period.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – pre-installed malware, mobile)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 10, 2025

DoNot APT is expanding scope targeting European foreign ministries

Pierluigi Paganini July 09, 2025