But we also didn’t spend the normal amount of time a typical user would on the mobile device. Nor was a SIM card installed into the device, which could impact how the malware behaves. Nevertheless, there is enough evidence that this Settings app has the ability to download apps from a third-party app store. This is not okay.
To be fair, no malicious activity triggered for us from this infected Settings app. We were expecting to see some kind of notification or browser popup populated with info from the code above displayed. Here’s snippet of code from the text file. Some variants also share a text file found in its assets directory named wiz.txt. It appears to be a list of “top apps” to download from a third-party app store. Although the infected Settings app is heavily obfuscated, we were able to find identical malicious code. Additionally, it shares the same receiver name: .ac service name: .as and activity names: .st, .st2, and .st3. Proof of infection is based on several similarities to other variants of Downloader Wotby. The Settings app is exactly what it sounds like-it is the required system app used to control all the mobile device’s settings. Thus, removing it would leave the device unusable. For the case of the ANS UL40, it is infected with Android/.
Just like the UMX U683CL, the ANS UL40 comes infected with a compromised Settingsapp and Wireless Update app. Although this may be true, they are not infected with the same malware variants. The infections are similar but have their own unique infection characteristics. Here’s a rundown of the infected apps. Therefore, we can only assume it is still available to Assurance Wireless customers. Regardless, the ANS UL40 was sold at some point and some customers could still be affected.
To clarify, it is unclear if the phone in question, the ANS UL40, is currently available by Assurance Wireless. However, the ANS UL40 User Manual is listed (at the time of this writing) on the Assurance Wireless website. Anwar for sending us your ANS UL40 for further research! Your cyber-security expertise and persistence into this case will surely aid others! Clarification of availability Thank you to Malwarebytes patron Rameez H. However, it’s very hard to verify such cases without physically having the mobile device in hand. For this reason, I could not confidently write about such cases publicly. Thankfully, we had one Malwarebytes patron committed to proving his case. Some claimed that various ANS phone models were experiencing similar issues to the UMX (Unimax) U683CL.
This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.Īfter our writing back in January-” United States government-funded phones come pre-installed with unremovable malware“-we heard an outcry from Malwarebytes patrons. Normally, Akruto monitors any changes between your devices using your LOCAL network.We have discovered, yet again, another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile. The message is from Android and the only way to get rid of it is to not have the SSL certificate imported. Unfortunately, the issued warning is needlessly scary and is unclear. The warning/notification you are getting happens when a security certificate is added to your phone (either manually by you, by another user, or automatically by some service or site you are using) and it is not issued by a pre-approved (by Google) issuer, then Android’s default security setting is to display the warning that “Networks May Be Monitored”. We sincerely apologize for the inconvenience.