Autoins¶
Pre-installed firmware threat that silently auto-installs apps from the moment of first boot. Discovered by Malwarebytes on UMX U683CL phones sold through the US government's Lifeline Assistance program. The "Wireless Update" system app (detected as Android/PUP.Riskware.Autoins.Fota) silently installs apps without user consent and can deliver additional malware including Guerrilla and HiddenAds trojans. Linked to the Chinese firm Adups.
Overview¶
| Property | Value |
|---|---|
| First Seen | ~2019 |
| Type | Pre-installed firmware threat / Auto-installer |
| Attribution | Linked to Adups (Chinese firmware provider) |
| Aliases | Android/PUP.Riskware.Autoins.Fota (Malwarebytes) |
Distribution¶
Pre-installed in device firmware on budget Android phones. Ships as the "Wireless Update" system app. Cannot be uninstalled without rendering the phone unusable.
Capabilities¶
| Capability | Implementation |
|---|---|
| Silent app installation | Auto-installs apps from first boot without user consent |
| Payload delivery | Can install Guerrilla trojans and HiddenAds malware |
| System-level persistence | Embedded in firmware, impossible to remove normally |
| Companion dropper | Settings app itself detected as Android/Trojan.Dropper.Agent.UMX |
Notable Campaigns¶
Malwarebytes discovered Autoins on UMX U683CL phones sold via the US government's Lifeline Assistance program, which provides subsidized phones to low-income Americans. German Gigaset phones were found with similar pre-installed threats in 2021.
Significance¶
Autoins represents the supply chain compromise problem in the budget Android device market. Related to the broader firmware grayware problem and connected to Triada and Keenadu firmware-level threats.