The Unimax U683CL

An inexpensive $39 Chinese-made smartphone offered by a U.S. government-subsidized Lifeline mobile phone service provider is wide open to malware and trojan horse apps, leaving users exposed to privacy violations, adware, and auto-installed backdoor apps that might expose some to fraud.

Malwarebytes Labs, an online security company, issued a serious warning to the public about the Unimax U683CL smartphone’s compromised-from-the-box status, and criticized provider Assurance Wireless for selling the phone and ignoring repeated warnings sent to the company about the phone.

“Assurance Wireless by Virgin Mobile offers the UMX U683CL phone as their most budget conscious option. At only $35 [$39 as of Jan. 13, 2020] under the government-funded program, it’s an attractive offering,” Nathan Collier, a senior malware intelligence analyst at Malwarebytes Labs writes in a company blog. “However, what it comes installed with is appalling.”

Malwarebytes began getting complaints about the phone last fall, and secured one to investigate further. It quickly emerged the phone arrived with questionable software pre-installed:

The first questionable app found on the UMX U683CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent.

Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.

From the moment you log into the mobile device, Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own. While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.

The second piece of unremovable malware is the UMX’s own “Settings” app, crucial to operating the phone. Researchers called this “heavily-obfuscated malware” that is detected as Android/Trojan.Dropper.Agent.UMX. This app quietly downloads and installs apps without the user’s permission, most recently including a variant of HiddenAds, which forces users to endure frequent advertising screens on their phone, even when not web browsing.

The malware activates the moment a user powers on their phone for the first time. Most customers will simply be annoyed if ad-related apps automatically install, but with a security-compromised phone opening the door to more malware in the future, this “lowers the bar on bad behavior by app development companies,” according to Collier.

“Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision at Malwarebytes,” Collier said.

“We informed Assurance Wireless of our findings and asked them point blank why a U.S.-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back,” Collier added.

Fraudsters impersonating your Internet Service Provider are sending urgent malware warnings that urge you to call straight away to “resolve” malicious spyware on your computer. If you follow through on that request, they will maliciously resolve to remove money from your bank account. If you’re already too late, then fret not because you can still resort to services such as financial fraud recovery.

“Malvertising” has become a multi-million dollar industry, and nothing is more profitable than claiming to remove malware from your personal computer that isn’t there in the first place. A review of your spam folder or voicemail messages may show a number of messages and calls claiming to come from Microsoft or your Internet Service Provider informing you they have supposedly discovered illegitimate software running on your computer that needs to be removed urgently.

These schemes have become very sophisticated, with warning warnings appearing in your web browser (as an embedded, pop-up or pop-under message) that identifies your general location and ISP as part of the malware alert. To enhance credibility, these messages include your ISPs logo and a professional-sounding audio message that warns your credit cards, passwords, and personal information are at risk.

Malwarebytes Labs, a legitimate fighter of all-things-malware, recently investigated these warning messages and dialed the toll-free number to see what would happen next.

[Our call was] handled by a tech support company out of India that goes by the name of Credence Incorporation and operates a website at: support-samurai.com.

As always, the technician that took remote control of our machine found many “infected files”, using outrageous (for anyone tech savvy) tricks:

Many people won’t know the difference, but the above command is by no means a way to scan a system for malware. Sadly, this sales pitch will still prove effective and those crooks will be able to extort several hundred dollars for non-existent computer problems.

At the time of writing this blog, we noticed that all the fraudulent websites had been shutdown. They had been registered under disguise with the following identity:

Registrant Name: Elizabeth Gonzalez
Registrant Organization: Sky-IP
Registrant Street: Addison House Plaza, street 57
Registrant City: Panama

The scam relies on your IP address to show your ISP and general geographic location. After calling, they’ll take your credit card number and bill up to several hundred dollars deleting non-existent malware while getting your permission to take remote control of your computer. Non-tech savvy users will probably never suspect a thing.

In addition to using a legitimate anti-virus program, it doesn’t hurt to have a second malware detector working for you. We found a promotion today for Malwarebytes Premium (1 year subscription for up to three computers), through Newegg.com for $12.00 (free shipping) using promo code: EMCEHGF27 

(Stop the Cap! does not receive any commission or any other benefits from Malwarebytes or Newegg. It was simply the cheapest price we could find for the software and is subject to expire after today.)

A prominent story airing last week on the NBC Nightly News with Brian Williams suggested visitors to the Sochi Olympic Games in Russia should expect their Android smartphone or laptop to be infiltrated by hackers moments after being switched on. A closer examination of the story suggests NBC News reporter Richard Engel had to go out of his way to get infected with malware.

[flv]http://www.phillipdampier.com/video/NBC News Hackers at the Olympics 2-4-14.flv[/flv]

Is it really too late to protect your electronic device if you power it on at the Sochi baggage claim facility at the airport, as NBC News’ Brian Williams claims? (3:35)

Trend Micro security expert Kyle Wilhoit, who helped design the experiment based on Engel’s usage habits, admitted security holes were left wide open on the tested devices:

On all of the devices, there was no security software of any type installed. These devices merely had standard operational programs such as Java, Flash, Adobe PDF Reader, Microsoft Office 2007, and a few additional productivity programs.

When considering this experiment, there were some basic things to be considered. First was mimicking the user behavior of Richard Engel. Since these were going to be machines with fake data, it was important to accurately imitate his normal activities. I had to investigate Richard’s user habits. In addition to other information, I needed to understand what he actually did on a daily basis, and sites he commonly visits. Also, I needed to understand where he posted. Did he post information on forums? Did he post on foreign language sites?

NBC’s story implied that three new devices, including an Apple MacBook Air, an Android phone, and a Lenovo laptop running Windows 7 were all hacked within minutes of being switched on for the first time, right out of their respective boxes.

A story about hacking at the Olympics in Sochi, Russia was recorded largely in Moscow, more than 1,000 miles away.

Careful observers will notice Wilhoit is wandering around Moscow, more than 1,000 miles away from Sochi. Wilhoit would later clarify in a tweet he never visited Sochi at all. A closer look at shots of computer screens show the reporter clicking on suspicious links and visiting obviously phony Olympics-oriented websites. With no virus or malware protection and Engel’s apparent willingness to click on anything suggests you should never loan him your laptop or phone.

NBC News went over the top getting their Android phone hacked. In fact, Engel not only had to manually find and download the infected app that let the hackers in, he had to navigate a set of menus to disable Android’s built-in security, turning on permission to download apps from unknown or third-party websites not affiliated with the Google Play store. Installing a security-compromised app also brings multiple additional warning messages advising users not to proceed. Under these circumstances, Aunt Sue can rest easy her Galaxy S4 is not accidentally open season for hackers while she watches the downhill skiing events.

Media sensationalism makes for good ratings but requires a lot of truth dodging to make the story real. This is an example.

At least 34 of Comcast’s email servers have been compromised by a well-known hacker group that posted evidence, the exploit, and certain administrative passwords online to embarrass the company and expose its poor security practices.

Using a “Local File Inclusion” vulnerability, the hacker crew accessed the Zimbra LDAP and MySQL passwords and publicly shared their findings earlier today. Use of this type of exploit can potentially allow hackers to execute code remotely on the web server, allow insertion of malware through JavaScript, open the door to a Denial of Service attack which would slow Comcast’s servers to a crawl, and could also allow hackers access to sensitive customer information.

The security breach affecting Comcast’s email servers remains open and available as of early this afternoon, and Comcast has yet to publicly respond to the security threat.

In one tweet, NullCrew thanked Comcast for putting all of their password information in one convenient spot, making the security intrusion easier.

NullCrew considers itself a hacktivist group that exposes poor security practices at corporations, government agencies, and schools. As exploits are publicized, most affected companies immediately take steps to strengthen security.

NullCrew alerted Comcast four hours before publicizing the breach, but Comcast’s social media team appeared to lack an understanding of the nature of the threat.

NullCrew posted complete documentation about executing the hack on pastebin.com (since removed), opening the door to more attacks by other parties. It also included its latest manifesto:

1. Hello there beautiful people of the internet, once again; we here at NullCrew have some fun information for you.

2. This time, our target is Comcast, yet another internet service provider who proclaims to be a secured one; shall we test these claims as well?

3. What is Comcast?

4. Comcast Corporation is the largest mass media and communications company in the world by revenue.

5. It is the largest cable company and home Internet service provider in the United States, and the nation’s third largest home telephone service provider.

6. Comcast provides cable television, broadband Internet, telephone service and in some areas home security (including burglar alarms, surveillance cameras, fire alarm systems and home automation) to both residential and commercial customers in 40 states and the District of Columbia.

7. Okay!

8. So, it’s the LARGEST mass media and communications company in the world? Sweeeeet.

9. Let’s take a look at it, and see if we should be impressed.

10. Below us, we have a list of Comcast mail servers; and each of these mail servers run on something called, “Zimbra.”

11. But each of these mail servers also are vulnerable to LFi, and you know what LFi can lead to, right?

Downtown Shenyang

When corporate executives discover the merits of outsourcing jobs to overseas workers in China or India, that wins them a large bonus for improved efficiency and successful cost-cutting. When an enterprising employee does the same thing, that is a heinous security risk.

Verizon’s RISK Team, which sells enterprise-level security services to large companies, discovered a “severe” security threat when it went to work for a “critical U.S. infrastructure company” (which goes unnamed) that found some unusual activity in its private network logs.

It all started when the company began shifting employees away from in-office work towards cheaper telecommuting. To allow this to happen, a secure virtual private network was established allowing developers to manage their work from home.

When the company began reviewing the network logs, it discovered a curious workday connection being established almost daily originating from Shenyang, China. The company hired Verizon’s RISK Team to consider the implications.

Company security personnel were initially concerned the Chinese had infiltrated their private network even though network access required the use of a rotating token RSA key fob. Even harder to understand, security officials watched the employee working at his office desk at the same time.

Was it a Chinese intelligence agency break-in? Malware? Hackers?

No, it turned out the employee, who Verizon calls “Bob,” had simply outsourced his job responsibilities to a contracting firm in China.

Company officials authorized some infiltration of their own, asking Verizon to review a forensic image quietly obtained from Bob’s workstation. Verizon security officials were surprised when they found hundreds of .PDF invoices sent from the third party contractor-developer… in Shenyang, China. Verizon’s RISK blog explains further:

As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less than one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedEx’d his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.

A typical ‘work day’ for Bob looked like this:

• 9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
• 11:30 a.m. – Take lunch
• 1:00 p.m. – Ebay time.
• 2:00 – ish p.m Facebook updates – LinkedIn
• 4:30 p.m. – End of day update e-mail to management.
• 5:00 p.m. – Go home

Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.