Security

Google scolded for depriving the poor of privacy as Chinese malware bundled on phones for hard-up Americans

To make matters worse, uninstalling it could cause even more pain


Updated On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.

The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google (and Alphabet) CEO Sundar Pichai asking him "to take action against exploitative pre-installed software on Android devices."

Their concern is that almost all (91 per cent) Android apps installed on devices by Google's Android partners prior to sale do not face the same security scrutiny as Android apps distributed to device users through Google Play. These pre-installed apps cannot be deleted and may collect user user data without consent or perform other undesired functions. And they play by a different set of rules than Google Play apps.

"These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model," the letter says. "This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions."

The groups are particularly concerned about "the exploitative business practices of cheap smartphone manufacturers." They argue that lack of income should not mean Android users lose their privacy rights.

They want Google to provide a way to uninstall pre-installed apps and related background services permanently, to apply the same security review that Play-submitted apps receive, to support an update mechanism for these apps without a user account, and to actually refuse to certify partner devices if they contain exploitative software.

Smoking gun

Underscoring these concerns, security vendor Malwarebytes said that Assurance Wireless by Virgin Mobile, supported by the US government's Lifeline Assistance program, distributes the $35 UMX U686CL phone with two pre-installed apps that appear to be malicious.

The first is an updater named Wireless Update that shows up in Malwarebytes' threat database as as Android/PUP.Riskware.Autoins.Fota.fbcvd. The app is "a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers," said senior malware intelligence analyst Nathan Collier in a blog post.

The second is the phone's Settings app, which incorporates obfuscated malware that the security biz identifies as Android/Trojan.Dropper.Agent.UMX. The dubious code shares similarities with other known Trojan droppers; in this instance, according to Collier, it installs malware called Android/Trojan.HiddenAds.

Attempting to remove this software can pose problems. Without Wireless Update, the phone no longer gets updates automatically. Removing the Settings app, however, may cripple the device. Collier offers remediation guidance, but it involves command line fiddling that demands some technical sophistication and may not work.

Collier reaches the same conclusion as the civic groups haranguing Google's CEO: "Budget should not dictate whether a user can remain safe on his or her mobile device."

Virgin Mobile did not immediately respond to a request for comment and Assurance Wireless's website returned an error at the time this story was filed, possibly due to the unexpected public attention following from the Malwarebytes report.

Google also did not immediately respond to a request for comment.

Incidentally, in March, the search biz will offer Android customers in the European Economic Area (which includes Britain) a limited menu of default search providers on new devices as a result of European Commission antitrust action last year.

The Chocolate Factory on Thursday published its list of rivals – determined by periodic auctions, with proceeds paid to Google – that will be featured (through June) in the search choice menu presented in each EEA country. Android users, when setting up their devices, will be able to use the menu to select a default search engine other than Google, if they wish. ®

Updated to add

In a statement emailed after this story was filed, a Virgin Mobile representative disputed Malwarebytes’ claim. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” the Virgin spokesperson said.

Send us news
57 Comments

Crims hijacking fully patched SonicWall VPNs to deploy stealthy backdoor and rootkit

Someone's OVERSTEPing the mark

At last, a use case for AI agents with sky-high ROI: Stealing crypto

Boffins outsmart smart contracts with evil automation

Curl creator mulls nixing bug bounty awards to stop AI slop

Maintainers struggle to handle growing flow of low-quality bug reports written by bots

Tech to protect images against AI scrapers can be beaten, researchers show

Data poisoning, meet data detox

AI coding tools make developers slower but they think they're faster, study finds

Predicted a 24% boost, but clocked a 19% drag

Jack Dorsey floats specs for decentralized messaging app that uses Bluetooth

It connects using peer-to-peer networking instead of the internet

Nvidia A6000 GPUs flip memory bits if beaten by GPUHammer

Rowhammer returns for more memory-meddling fun

OpenAI deputizes ChatGPT to serve as an agent that uses your computer

LLM given keys to the web, told to behave and observe safeguards

Scholars sneaking phrases into papers to fool AI reviewers

Using prompt injections to play a Jedi mind trick on LLMs

Google sues 25 alleged BadBox 2.0 botnet operators, all of whom are in China

Ads giant complains of damage to its reputation and finances ... and crime, too

UK tech minister negotiated nothing with Google. He may get even less than that

Peter Kyle promised alternative to 'ball and chain' of legacy systems, but he has no plan and little power

Cloudflare creates AI crawler tollbooth to pay publishers

The bargain between content makers and crawlers has broken down