Researchers at Malwarebytes say they obtained the U686CL to investigate numerous complaints in its support system from users claiming some of the preinstalled apps were malicious. And that's exactly what the researches claim to have found themselves.
"The first questionable app found on the UMX U686CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent," the researches noted.
"While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time," the researchers say.
The other part of the concern is that the only recourse is to uninstall the updater. However, that means users could miss out on critical security patches and other goodies. In other words, choose your poison.
In addition, Malwarebytes says the phone's Settings app is malicious as well, as it "functions as a heavily-obfuscated malware" that the firm detects as a Trojan dropper capable of fetching and installing a payload. This one also traces back to China, the researchers say.
"Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device," the researchers noted.
Sprint Refutes Claim Malware Exists On Virgin Mobile's Subsidized Unimax U686CL Android Phone
"We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware," Sprint told Arstechnica.
Regardless, Malwarebytes recommends U686CL owners to uninstall the Wireless Update app, even though it means they could be missing out on critical security updates.
"We think it's worth the tradeoff and suggest doing so," the company says.