My neighbor brought me her new Android device she was given through the low income "Obama phone" program as it was exhibitting unusual behavior.
The phone was installing unwanted apps without any user intervention from a third party app host.
I found the culprit(s) to be the factory install "Gallery" application as well as the "OTA update" apps that were installing apps as they pleased.
Uploading the SHA256 sums to Virus Total confirmed that both were malicious with the OTA update app getting flagged by 38 different AV engines..
The phone itself was exhibiting rootkit-like behaviour in that there were many processes running hidden even from the system and logcat errors showed that it didn't recognize several of the processes which accounted for why there were very little processes shown when enabling developer tools.
Just out of curiosity I enabled Google's Play Protects full scanning option and Play Protect said everything was OK.
I did another scan several days later to see if Play Protect would flag any of the apps now that samples had been sent back to Google but the scans still showed all was well.
There is a chance that the Play Protect functionality could have been hampered by the rootkit-like functionality of the device however.
What was concerning to me was that the Google Chrome browser installed on the phone had a factory installed bookmark to the support forum of the wireless company that was distibuting these malicious phones and in the support pages themselves there were several users that had complained to the wireless company representatives including one user that had gone through many of the same checks as I had and posted his findings on the support site.
Representatives from the wireless company did acknowledge the complaints so it is a mystery to me why my neighbor was given one of the infected devices over 9 months after the date of the complaints on the support page hard-coded into the phones Chrome browser.
I tried reaching out to the wirelees company who then referred me to the manufacturer.
The manufacturer has an automated answering machine that refers users back to the wireless company.
It worries me to think of just how many of these dodgy phones are being handed out to the most vulnerable of American citizens.