Another 'Obamaphone' found to contain pre-installed malware: What to do

Tinted microscope image of a coronavirus displayed on an Android phone.
(Image credit: photosince/Shutterstock)

Yet another cheap phone offered through the U.S. Lifeline Assistance program is infected with pre-installed malware, according to a security researcher.

Malwarebytes' Nathan Collier discovered that an American Network Solutions UL40 Android handset -- available at low cost through Lifeline Assistance which subsidizes telephone service and equipment for poor families -- was running two malicious apps. 

One of them was the Settings app, which would make the phone unstable if it were to be removed. The other was WirelessUpdate, the phone's main method of installing legitimate software updates.

Lifeline Assistance phones are commonly called "Obamaphones," although Obama really had nothing to do with it. The program started in 1985 during the Reagan presidency and was expanded to include mobile phones in 2005 while George W. Bush was president.

This isn’t the first time that Collier has made such a discovery. In January, he found pre-installed malware on the Unimax U686CL, another low-cost Android smartphone provided as part of the Lifeline Assistance scheme.

In both cases, the preinstalled malware or adware, built into the legitimate Settings and WirelessUpdate apps, was capable of downloading additional apps from "off-road" app stores onto the devices of unsuspecting users. 

Collier found that the “infections are similar but have their own unique infection characteristics”.  He made the discovery after a Malwarebytes user, Rameez H. Anwar, sent in a compromised ANS UL40 for research purposes.

Hiding in legit apps

The ANS UL40's Settings app embeds a Trojan called Downloader Wotby, which can install third-party apps under the nose of unsuspecting users, and has a precompiled shopping list of apps to install, including the regular Facebook app.

However, the Settings app didn't donwload anything over the weeks that Collier tested the phone. He manually downloaded a couple of the apps from the shopping list and found them free from malware, but warned, “That’s not to say that malicious versions couldn’t be uploaded at a later date.”

That wasn't the case with WirelessUpdate, which also harbored a downloader. In just 24 hours during Collier's testing, it installed four different apps without the user's consent, all of which harbored the HiddenAds Android Trojan to spam you with unwanted ads.

Again, this was just annoying adware, but only the adware developer's goodwill prevents either of these hidden downloaders from installing something much more malicious.


In his investigation, Collier also explored whether there were any correlations between the malicious apps found on UMX and ANS devices. And there was.

“We have a Settings app found on an ANS UL40 with a digital certificate signed by a company [called TeleEpoch] that is a registered brand of UMX,” said Collier.

“For the scoreboard, that’s two different Settings apps with two different malware variants on two different phone manufactures & models that appear to all tie back to TeleEpoch Ltd.," he added. "Thus far, the only two brands found to have preinstalled malware in the Settings app via the Lifeline Assistance program are ANS and UMX.”

For users of these devices, Malwarebytes has published instructions on how to remove the WirelessUpdate app. Unfortunately, you're stuck with the Settings app unless you wipe and completely reinstall the Android OS.

Collier concluded that “budget should never mean compromising one’s safety with pre-installed malware.”

  • Read more: Stay protected on your mobile with the best Android VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!