Jump to content

Recommended Posts

4 hours ago, zealstarwind said:

I recently updated from the previously mentioned umx phone to an updated U693CL and I am getting a pop-up in Chrome, it always opens a new tab for g21news.com after a set random time. Malwarebytes doesn't detect anything and I suspect it's changed or the app is hidden behind admin commands. Also there is a modified home screen that will not allow me to remove Google search bar on the home screen. If assurance wireless was looking into it they ain't doing crap about it as they probably know and are getting payed by the manufacturer. 

There have been a variety of issues like this for our UMX phones the past couple years.  Assurance is well aware and they do nothing.  Usually the problem persists for awhile and then UMX fixes it with an update so the phone will be fine for months, but then another one pops up.  There is nothing you can do about it unless you use ADB to disable the system app that the virus is factory installed in.  For example I disabled Wireless Update a couple years ago and then my phone and nothing on it ever updated until I knew the virus had been fixed by UMX and reset my phone.

The virus you have didn't seem as bad.  I cant remember which system app it is in.  But I don't have the G21 news virus anymore because I think a later update had fixed it.  Go through the update routine again to see that you have the latest update installed.  With the last update that I have I don't see any virus activity.

Link to post
Share on other sites
  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

An app called "alarm" installed and started spamming this fake lock screen on my phone this morning, I'm curious if anyone else has had something similar happen?  If so, getting rid of the alarm app i

There was a firmware update last week and I tried it thinking that it couldn't make the phone any worse.  After the update malwarebytes no longer flags the settings app, but I did notice an odd blank

Thank you.  I did the wireless update a couple of weeks ago, and so far no malware, and no new apps, so this seems good.  I'm able to leave my wireless on now, if I want, without having stuff added.

Posted Images

  • Staff
13 hours ago, zealstarwind said:

I recently updated from the previously mentioned umx phone to an updated U693CL and I am getting a pop-up in Chrome, it always opens a new tab for g21news.com after a set random time. Malwarebytes doesn't detect anything and I suspect it's changed or the app is hidden behind admin commands. Also there is a modified home screen that will not allow me to remove Google search bar on the home screen. If assurance wireless was looking into it they ain't doing crap about it as they probably know and are getting payed by the manufacturer. 

Hi @zealstarwind,

See this post to resolve g21news.com homepage: 

Nathan

Link to post
Share on other sites

I do not have any apps on my phone that didn't come preloaded besides me installing discord. It is probably baked in and I have disabled all extraneous apps I could. This is just a thing with assurance wireless and umx where every phone comes prebaked with malware to pop up ads. 

Link to post
Share on other sites
On 4/6/2021 at 11:23 AM, zealstarwind said:

I do not have any apps on my phone that didn't come preloaded besides me installing discord. It is probably baked in and I have disabled all extraneous apps I could. This is just a thing with assurance wireless and umx where every phone comes prebaked with malware to pop up ads. 

I think it's in the settings app.  I had the G21news virus last year, but later updates got rid of it.  When you get a new phone it may be several updates behind so you have to go through the update process several times until it  says that you have the most up to date.

Link to post
Share on other sites
10 minutes ago, stvvv said:

think it's in the settings app

IT was actually the Customizations app.  I didn't bother do disable it at the time because I didn't know what that would do.

Link to post
Share on other sites

Hey guys,

I wanted to give my two cents on this issue since it has also been bothering me. I appreciate all the replies and have tried every single solution possible, but I still couldn't get rid of the damn tarot card site or G21 news. It was driving me insane. And I recently fell victim to a serious breach in my personal privacy that I might have to seek legal counsel for. I couldn't think of anything that would be the cause, other than my phone.

 I called my service provider and simply requested a new phone that WASN'T of the UMX brand. They sent me a Wiko, and after a brief search, I found next to none malware complaints for this brand akin to the UMX phones.

I've only been using it for today so far and I haven't found any issues, but if I do I'll give an update just to be informative. I don't know if requesting a new phone is an option for everyone here but if it is and you can't do anything about the malware on your current phone, maybe consider it. And make sure it's not another UMX. If I find out my previous phone had anything to due with my security compromise, I am seriously considering suing someone.

Link to post
Share on other sites
  • Staff
14 hours ago, Darien said:

Hey guys,

I wanted to give my two cents on this issue since it has also been bothering me. I appreciate all the replies and have tried every single solution possible, but I still couldn't get rid of the damn tarot card site or G21 news. It was driving me insane. And I recently fell victim to a serious breach in my personal privacy that I might have to seek legal counsel for. I couldn't think of anything that would be the cause, other than my phone.

 I called my service provider and simply requested a new phone that WASN'T of the UMX brand. They sent me a Wiko, and after a brief search, I found next to none malware complaints for this brand akin to the UMX phones.

I've only been using it for today so far and I haven't found any issues, but if I do I'll give an update just to be informative. I don't know if requesting a new phone is an option for everyone here but if it is and you can't do anything about the malware on your current phone, maybe consider it. And make sure it's not another UMX. If I find out my previous phone had anything to due with my security compromise, I am seriously considering suing someone.

Hi @Darien,

Good to hear you convinced Assurance Wireless to send a non-UMX phone.  Also avoid ANS.  If available, I would try to stick to phone manufacturers that are more well known.  Unfortunately, you can no longer see the phone options on Assurance Wireless' website or I'd give recommendations.

Nathan

Link to post
Share on other sites
  • 1 month later...

A repost from me, from another thread:

I work in the technical field of smartphones, including Android, so I have more than sufficient technical knowledge.  I have been helping a family friend, a senior, with solving this exact issues on the U693CL.  I am dumbfounded why Assurance and UMX allow this to continue to happen.  I implemented some tools from the previous rounds to shutdown and clean off these malware pushes.  After 3 UMX security updates, and based on behaviors I saw and tracked, I am certain the Android Security updates pushed out by UMX has weakness/vulnerabilities.  It may seen like it cleaned off some malware but in reality, it activates another one but in dormant state.  It acts as a backdoor to execute code that would otherwise subject to some Android OS level restrictions and it invokes APIs only true developers would know.

The g21news hijack was triggered by the "TopicNews" app.  Before the recent security update, that apk was called "Topic" app, I had it disabled and uninstalled via ADB shell commands.  Back at that time, the hijacked sites and pops were various game sites.  The phone system snapshot I took shows the update somehow changed the apk name and re-install re-enable it.

In addition, there has been frequent Google Play Protect notifications indicate it found an app or blocked an app from being installed that was deem malicious.  This happens when the phone is not touched or used, so some code is executing all these malicious behavior.

I logged the IP traffics and EVERY, I mean EVERY hijacked browser redirect or pop up ad that mask the screen are hosted by IP addresses in China.  Domain names are all registered with China-based domain registrars.  Servers seem to be hosted on systems with IP address serviced or registered through Alibaba, Tencent, or one of the other Chinese internet powerhouses.

I have done multiple soft/hard factory restore, and after the phone downloads the latest security updates, it would be back to the same situation with these malware, hijack and ad redirect.

From these info, I am inclined to believe Assurance is not the main culprit but it's extreme careless or have no expert inhouse to monitor or address these problems.  The key issue is with UMX.  I agree with the author of various post from Malwarebytes, there appears to be a break or vulnerability in UMX's software development custody to allow this to happen relatedly, and to both U683CL and now U693CL.

Last note, while these phones use low-end chipset from Qualcomm, like the 210/215 used in the U693CL, they are actually very capable chipset and can be a very suitable and functional modern entry-level phone for the low-income lifeline users and their day to day needs.  These malwares are so active, evasive and heavy, they render the phone completely useless, which is just super sad, especially during COVID when people really need their phone and internet.

Link to post
Share on other sites

By the way, if Assurance tell you the issue will go ahead once merged/transitioned to the T-Mobile network, then they are grossly misinforming customers.  I've checked with industry contacts, the Assurance put out bids for phones knowing the Sprint network will be decommissioned.  For a couple of years now, all the new phone designs are required to support all of T-Mobile LTE bands, including the latest bands, 12, 41, 66 and 71.  These phones will not need to be replaced and they simply have to send you a new T-Mobile based SIM card.  This means whatever backdoor and weakness will still be in the phone.

It seems like UMX is doing this on purpose, to generate ad money.  If they want to fix this, it should be doable when that offend apk is in the factory image.  There is no technical limit why this could not be done quickly and efficiently as a permanent fix.

Link to post
Share on other sites
1 hour ago, _W_ said:

In addition, there has been frequent Google Play Protect notifications indicate it found an app or blocked an app from being installed that was deem malicious.  This happens when the phone is not touched or used, so some code is executing all these malicious behavior.

I logged the IP traffics and EVERY, I mean EVERY hijacked browser redirect or pop up ad that mask the screen are hosted by IP addresses in China.  Domain names are all registered with China-based domain registrars.  Servers seem to be hosted on systems with IP address serviced or registered through Alibaba, Tencent, or one of the other Chinese internet powerhouses.

I installed noroot firewall as recommended, and have pretty much blocked everything except a few trusted apps (blocked ALL wireless updates, google services, android services etc).  Bothersome, but at least now I can use my phone.  They are unable to install junk, but I don't know if this is actually protecting my data or not.

  • Like 1
Link to post
Share on other sites
20 hours ago, iBeleave said:

I installed noroot firewall as recommended, and have pretty much blocked everything except a few trusted apps (blocked ALL wireless updates, google services, android services etc).  Bothersome, but at least now I can use my phone.  They are unable to install junk, but I don't know if this is actually protecting my data or not.

I thought about that but the phone is being used by a non-tech senior, so it's another layer of permission that may cause more problems.  I do believe there is value in Android security update pushed by UMX sans the malware/adware in the payload.  The issue is still that they have a software development process custody issue, or maybe they are doing this on purpose.

Do you do block-all and then grant permission based on access attempt, or have you developed a block list (from the malware's triggered activities)?  If so, can you share block list?

Link to post
Share on other sites
13 minutes ago, _W_ said:

I thought about that but the phone is being used by a non-tech senior, so it's another layer of permission that may cause more problems.  I do believe there is value in Android security update pushed by UMX sans the malware/adware in the payload.  The issue is still that they have a software development process custody issue, or maybe they are doing this on purpose.

Do you do block-all and then grant permission based on access attempt, or have you developed a block list (from the malware's triggered activities)?  If so, can you share block list?

One wireless update got rid of the malware briefly, and another put it back, even when I had supposedly turned off updates, so I just stopped them all.

Yes, it would be very bothersome for most people, I think, and especially a senior.  However, once it is setup it's not bad.


NoRoot allows me to get notified of each access attempt, and choose to accept/deny based on wifi and/or data access.  I denied everything that came up, except my own apps (K9 email, podbean, duckduckgo on specific use).  A bunch of things are lumped together, not sure why, such as Android System which includes Android System, Wireless Update, Settings - I know that some of these were allowing malware in, so that whole group is denied.  Also Google play services group, and Google Play Store - which prevents installation of new stuff from them, which was also happening (a bit obnoxious if I actually want to install something myself).  Also something called Mobile Installer which was involved in the malware.

 

Link to post
Share on other sites

I poked around the phone some more.  Whomever designed the UMX software or did the Android integration are extremely lazy and just very careless engineers if I am being nice.  I found traces of settings and conduits related to Chinese cellphone carriers that should never be in a phone destined for the US, taking up storage.  There are several setting themes and overlays for CMCC (China Mobile) and CT (China Telecom) they are left in the phone software.  On phones destined for China, those settings allow some carrier-base information exchange, like getting plan information, data/min used/left, and host any popups the carrier wanted to show, but why in US phones?  There are usually build flags for each carrier's version of the phone software, so carrier specific stuff are not supposed to get pulled in.

I spot several software Sprint outsourced to InnoPath, which generally comes on all Sprint phones, like Mobile Installer.  They are backend tools for Sprint to push update and manage devices.  I would suggest not disable them if it's showing as from InnoPath.  Assurance/Sprint is transitioning customers to T-Mobile network and may need to push changes to the phone settings.  In theory, they can do everything through Android APIs but they may automate those steps with their own tools like the ones from InnoPath.

Anyways, I am really stunned by the things I am seeing here.  I think the users should consider file formal complaints to FCC to hold Assurance responsible for better oversight of their vendors.  With these malware/adware, the phone can't even make or receive calls, with the ads blocking critical screen display information.  How can people count on this phone during an emergency?  I'd imagine most of Assurance customers won't have the resources or tools to constantly try to cleanup these malware/adware every couple of months.

Link to post
Share on other sites
  • 2 weeks later...

I am glad people are bringing these issues with Assurance Wireless and the UMX brand to light. While I am admittedly a novice at the inner workings of mobile operating systems, I know enough to understand that what UMX is doing isn't right and completely intentional. I was able to use the information from everyone here to stop the g21news redirects, but now I am facing a new line of issues, primarily redirecting me to a "gaming" site, 592onegame, which appears to be American in origin (at least according to their IP), and running through a Cloudflare server . As if this wasn't bad enough, I have recently been getting redirected to a site claiming to be Google and trying to get me to take a survey for a "prize" in the form of a gift card or Cash app deposit. Now they are going beyond ad revenue to blatant phishing attempts. Malwarebytes says there are no issues detected, so I am left to assume this is further interference from UMX. If I didn't need this phone so badly and could afford the change, there is no way I would continue using it. For those here who are better versed in mobile security, please continue doing what you can to help those who, like me, are being victimized by these companies. My thanks to you.

Link to post
Share on other sites

I spent some time last several weeks to track down the browser redirect on launch.  The people wrote those malicious codes are savvy.  I used an array of tools to monitor the Android OS but it seems the code can detect the tools are running, so it won't pop/re-direct.  The moment I disable the tools, it starts to pop again. The level of maliciousness is sickening.  I am working on some the methods to monitor the OS more transparently.  The malware code is very deeply embedded in the OS.

I think best recourse is for users to file FCC complaint and force Assurance to take responsibility and drop these phone vendors.  With T-Mobile/Sprint buying power, it's shocking that they don't take more aggressive action on these phone vendors.

Link to post
Share on other sites
2 hours ago, _W_ said:

I think best recourse is for users to file FCC complaint and force Assurance to take responsibility and drop these phone vendors.  With T-Mobile/Sprint buying power, it's shocking that they don't take more aggressive action on these phone vendors.

I agree!  Assurance said I needed a new phone for the T-Mobile change, so I talked to them for a long time to convince them to NOT send me another UMX phone (currently have U683CL).  Finally one customer service rep agreed to send me a Wiko, but when it arrived, it was actually U693CL - they say that is all they have now.  I filed a complaint with the FCC last week, so Assurance called me, but insist nothing they can do.  They say all their devices are "approved" by the government!  I am going to look at a different phone company that will let me choose my own phone.

Link to post
Share on other sites
3 minutes ago, iBeleave said:

Assurance said I needed a new phone for the T-Mobile change...

The agents in the Philippines are clueless.  T-Mobile/Sprint merger was known in the industry for sometime and many Assurance phones, even old ones, can support  T-Mobile LTE network fully.  It was a requirement to the Chinese phone makers.  It's just a matter of sending a T-Mobile based SIM and these phones can work on T-Mobile network with not the need of a new phone.  The other problem is Wiko mayhave licensed their name to ANS, so the ANS phone is now under the Wiko brand.  This mess is not going away.

I can't imagine with these phones causing so many problems and Assurance having to send replacement or warranty them, that it's cheap for Assurance to do this, instead of just let consumer the option to use other unlocked phones.

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.