Mobile Menace Monday: Preinstalled adware and sometimes worse

BLU manufactured mobile devices have been discovered with preinstalled adware known as Android/Adware.YeMobi.

Behavior of YeMobi

The incriminating behavior of adware YeMobi is its ability to launch the default browser on a mobile device and use it to display ads. There is an unusual element to this as well—it only displays ads while the Google Play store app is running.  As seen in the code below, if (the Google Play store app) is active, activity MessageLoadDetail is loaded.  Activity MessageLoadDetail then goes onto to display ads.

The rise of preinstalled malware

Buying a new phone only to find it comes preinstalled with adware or even more dangerous malware is frustrating.  Trust us, it’s just as frustrating not being able to remove these apps for our customers.

With the ease of selling online, Android devices re-imaged with custom ROMs(“Read-Only Memory”) containing preinstalled shady/malicious apps are starting to appear more and more on the online marketplace.  Sellers can easily re-image an Android device with a custom ROM which replaces the default operating system—typically stored in read-only memory. Sellers then turn around and sell these devices for cheap online.

Just like when installing apps, it’s important to buy your mobile device from trusted sources.  Avoid buying devices online from untrusted sellers/stores; even if the price is hard to pass up.

Disabling YeMobi and other preinstalled apps

In order to keep essential operating system apps from being removed on Android devices, you cannot uninstall preinstalled apps. However, you can disable some preinstalled apps—like Adware YeMobi. Simply go into settings > apps, find the YeMobi app, open its settings, and disable it via the Disable button.

Finding preinstalled malware on your device can be tricky—a mobile scanner can assist with finding them for you. Malwarebytes Anti-Malware Mobile detects Adware YeMobi along with other preinstalled malware and can be found for FREE on Google Play.

As always, stay safe out there!


Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.