Researchers find another Android Smartphone infected with undeletable malicious code upon purchase


Researchers find another Android Smartphone infected with undeletable malicious code upon purchase

Researchers from Malwarebytes have discovered another phone model with pre-installed malware provided from the Lifeline Assistance program via Assurance Wireless by Virgin Mobile. This time, an ANS (American Network Solutions) UL40 running Android OS 7.1.1.

Previously the researchers reported back in January that United States government-funded phones come pre-installed with unremovable malware. The phone is distributed by the Lifeline program via Assurance Wireless by Virgin Mobile. It’s not clear whether the device is still available, but researchers found its user manual available on the Assurance Wireless website, Collier said. At the time of this writing, however, that website was not available.

The malware that researchers found on the UL40 device is the same as the malicious apps that Malwarebytes researchers discovered on the Unimax Communications U683CL Android device in January. That device also is distributed via the program, and the issue was later resolved, researchers said.

The UL40 device analyzed by Malwarebytes came with a preinstalled trojan file: Android/Trojan.Downloader.Wotby.SEK. It’s installed in the device’s Settings app, which as its name suggests, is required to control all of the device’s settings. It is thus undeletable, as to remove it would render the device useless, Collier said.

“Proof of infection is based on several similarities to other variants of Downloader Wotby,” Collier explained. “Although the infected Settings app is heavily obfuscated, we were able to find identical malicious code. Additionally, it shares the same receiver name:; service name:; and activity names:, com.sek.y.st2, and com.sek.y.st3.”

WirelessUpdate is categized as a Potentially Unwanted Program (PUP) riskware auto-installer that has the ability to auto-install apps without user consent or knowledge. It also functions as the mobile device’s main source of updating security patches, OS updates, etc.

Android/PUP.Riskware.Autoins.Fota in particular is known for installing various variants of Android/Trojan.HiddenAds—and indeed it did! In fact, it auto installed four different variants of HiddenAds as seen below!

  • Package Name: com.covering.troops.merican
  • MD5: 66C7451E7C87AD5145596012C6E9F9A0
  • App Name: Merica
  • Detection: Android/Trojan.HiddenAds.MERI
  • Package Name: com.sstfsk.cleanmaster
  • MD5: 286AB10A7F1DDE7E3A30238D1D61AFF4
  • App Name: Clean Master
  • Detection: Android/Trojan.HiddenAds.BER
  • Package Name: com.sffwsa.fdsufds
  • MD5: 4B4E307B32D7BB2FF89812D4264E5214
  • App Name: Beauty
  • Detection: Android/Trojan.HiddenAds.SFFW
  • Package Name:
  • MD5: 0FF11FCB09415F0C542C459182CCA9C6
  • App Name: Mischi
  • Detection: Android/Trojan.HiddenAds.MIS

While researchers initially believed there was no connection between the pre-loaded infections on the UMS and ANS mobile devices, evidence has emerged that they could be connected through a common company called TeleEpoch Ltd, Collier reported.

“The Settings app found on the ANS UL40 is signed with a digital certificate with the common name of ‘telepoch,’” he wrote. “Searching ‘telepoch’ comes up with the company TeleEpoch Ltd., along with a link to their website. Right there on the homepage of TeleEpoch Ltd., it states, ‘Teleepoch registered brand UMX’ in the United States.’

In the meantime, frustrated users with the ANS UL40 can halt the reinfection of HiddenAds by using this method to uninstall WirelessUpdate for the current user (details in the link below):

Removal instructions for Adups

For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments