Security

Google scolded for depriving the poor of privacy as Chinese malware bundled on phones for hard-up Americans

To make matters worse, uninstalling it could cause even more pain


Updated On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones.

The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google (and Alphabet) CEO Sundar Pichai asking him "to take action against exploitative pre-installed software on Android devices."

Their concern is that almost all (91 per cent) Android apps installed on devices by Google's Android partners prior to sale do not face the same security scrutiny as Android apps distributed to device users through Google Play. These pre-installed apps cannot be deleted and may collect user user data without consent or perform other undesired functions. And they play by a different set of rules than Google Play apps.

"These pre-installed apps can have privileged custom permissions that let them operate outside the Android security model," the letter says. "This means permissions can be defined by the app – including access to the microphone, camera and location – without triggering the standard Android security prompts. Users are therefore completely in the dark about these serious intrusions."

The groups are particularly concerned about "the exploitative business practices of cheap smartphone manufacturers." They argue that lack of income should not mean Android users lose their privacy rights.

They want Google to provide a way to uninstall pre-installed apps and related background services permanently, to apply the same security review that Play-submitted apps receive, to support an update mechanism for these apps without a user account, and to actually refuse to certify partner devices if they contain exploitative software.

Smoking gun

Underscoring these concerns, security vendor Malwarebytes said that Assurance Wireless by Virgin Mobile, supported by the US government's Lifeline Assistance program, distributes the $35 UMX U686CL phone with two pre-installed apps that appear to be malicious.

The first is an updater named Wireless Update that shows up in Malwarebytes' threat database as as Android/PUP.Riskware.Autoins.Fota.fbcvd. The app is "a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers," said senior malware intelligence analyst Nathan Collier in a blog post.

The second is the phone's Settings app, which incorporates obfuscated malware that the security biz identifies as Android/Trojan.Dropper.Agent.UMX. The dubious code shares similarities with other known Trojan droppers; in this instance, according to Collier, it installs malware called Android/Trojan.HiddenAds.

Attempting to remove this software can pose problems. Without Wireless Update, the phone no longer gets updates automatically. Removing the Settings app, however, may cripple the device. Collier offers remediation guidance, but it involves command line fiddling that demands some technical sophistication and may not work.

Collier reaches the same conclusion as the civic groups haranguing Google's CEO: "Budget should not dictate whether a user can remain safe on his or her mobile device."

Virgin Mobile did not immediately respond to a request for comment and Assurance Wireless's website returned an error at the time this story was filed, possibly due to the unexpected public attention following from the Malwarebytes report.

Google also did not immediately respond to a request for comment.

Incidentally, in March, the search biz will offer Android customers in the European Economic Area (which includes Britain) a limited menu of default search providers on new devices as a result of European Commission antitrust action last year.

The Chocolate Factory on Thursday published its list of rivals – determined by periodic auctions, with proceeds paid to Google – that will be featured (through June) in the search choice menu presented in each EEA country. Android users, when setting up their devices, will be able to use the menu to select a default search engine other than Google, if they wish. ®

Updated to add

In a statement emailed after this story was filed, a Virgin Mobile representative disputed Malwarebytes’ claim. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware,” the Virgin spokesperson said.

Send us news
57 Comments

Epic judge orders Google to let rivals set up app stores

Chocolate Factory vows to appeal

Google's Rust belts bugs out of Android, helps kill off unsafe code substantially

Memory safety flaws used to represent 76% of 'droid security holes. Now they account for 24%

T-Mobile US to cough up $31.5M after that long string of security SNAFUs

At least seven intrusions in five years? Yeah, those promises of improvement more than 'long overdue'

Uncle Sam may force Google to sell Chrome browser, or Android OS

Tech giant snaps back, calls DoJ proposals on splitting up Alphabet and more 'government overreach'

Extracting vendor promises won't fix cybersecurity. Extracting teeth might

One branch of tech has learned to work together to solve the near-impossible. Now it's our turn

Google expands visual, audio search, lets AI handle layout

AI Overviews get links to referenced websites – and ads

Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable

AI screengrab service to be opt-in, features encryption, biometrics, enclaves, more

Smart TVs are spying on everyone

Regulators know this is a nightmare and have done little to stop it. Privacy advocacy group wants that to change

Apple's latest macOS release is breaking security software, network connections

PLUS: Payer of $75M ransom reportedly identified; Craigslist founder becomes security philanthropist, and more

Deno 2.0 looks to backward compatibility to move forward

Modern runtime for JavaScript and TypeScript plays nicer with Node.js

AI-driven e-commerce fraud is surging, but you can fight back with more AI

Juniper Research argues the only way to beat them is to join them

Tor Project wags Tails to mark privacy project merger

Onion Amnesia: Steaming up your digital disguise