The first application is the more minor of the two, and self-identifies as “Wireless Update”. It’s the only way to update the device, but it also has the capability of automatically installing apps in the background, without the user’s consent. Malwarebytes identified this malware as Android/PUP.Riskware.Autoins.Fota.fbcvd, or Adups.

On a side note, the inclusion of Adups malware is actually what led to BLU’s smartphones being pulled from the Amazon marketplace. BLU eventually settled with the FTC. Adups had been collecting a lot of user data, including “full-body of text messages, contact lists, call history with full telephone numbers, and unique device identifiers including the IMSI and IMEI”. This data was then transmitted back home. In the case of the UMX U683CL, the app immediately begins installing applications in the background once the device is powered on and connected to the internet. The apps are free of malware thus far, but this is still entirely done without user consent. This does not mean they will be clean in the future, either.

Pre-installed and unremovable malware

But the worst comes in the form of the second application, Android/Trojan.Dropper.Agent.UMX, which is a heavily obfuscated and vital part of the system. It comes as part of the device’s own settings application, so removing it would render the device unusable. Malwarebytes matched the trojan with other malware of Chinese origin thanks to shared service names, along with code that matches in every aspect apart from variable names. It also shares a hidden library called com.android.google.bridge.LibImp, which loads another trojan known as Android/Trojan.HiddenAds.WRACT. It does not come in immediately, and the researchers at Malwarebytes eventually did receive it. This new malware presents itself as a notification simply titled “Full”, with no other identifying information. It’s possible to uninstall it HiddenAds, although it’s unknown whether or not it’s gone for good once you do.