FCC Subsidized Sprint Phones Have Malware Preinstalled

The FCC is running a program to subsidize smartphones for low-income households. It’s paying Sprint—in the guise of “Assurance Wireless”—to hand out Unimax Android phones infested with dropper malware, say researchers.

The U.S. taxpayer is on the hook for this utter FAIL, naturally. When asked, the FCC basically said half of nothing at all. And Sprint denies the malware is … uhh … malicious.

DevOps Connect:DevSecOps @ RSAC 2022

So that’s OK then. Wait, not “OK”—the other thing. In today’s SB Blogwatch, we follow the money.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Regex.

The Poor Are the Product

What’s the craic? Thomas “millions” Brewster reports—“U.S. Funds Program With Free Android Phones For The Poor — But With … Malware”:

 For years, low-income households have been able to get cheap cell service and even free smartphones via the U.S. government-funded Lifeline Assistance program. One provider, Assurance Wireless, offers a [$35] Android device along with free data, texts and minutes.

But according to security researchers, there’s a catch: the Android phones come with preinstalled … malware. … One of the malware types is impossible to remove.

One of the preinstalled malware … is the creation of a Chinese entity known as Adups. … Adups tools have been caught siphoning off private data from phones, including the full-body of text messages, contact lists and call histories with full telephone numbers.

A spokesperson for Sprint, which owns … Assurance Wireless, said: “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause. However, after our initial testing we do not believe the applications described in the media are malware.

The FCC, which runs Lifeline Assistance, [said] the law required its fund not be used by partner carriers for spending on devices. It declined to clarify how it enforces that law or whether it would be investigating the … issues discovered.

The question worth asking: … Is privacy only for the rich?

Book him, Mike Dano—“Sprint Sold Phone With Chinese Malware”:

 Assurance Wireless … run by Sprint … receives subsidies from the US government’s Lifeline program, which is designed to help low-income Americans on programs like food stamps. … Given that Sprint disputes Malwarebytes’ findings, it’s difficult to assess exactly what’s going on here.

What is clear though is that as the world becomes increasingly digitized, hacks and cyber attacks are becoming increasingly common from both private and state-sponsored sources. And this situation will continue to drive attention in cybersecurity on individual, corporate and national levels.

Who found it? Malwarebytes Labs researcher Nathan Collier—“Government-funded phones come pre-installed with unremovable malware”:

 Assurance Wireless … offers the UMX U686CL phone as their most budget conscious option. At only $35 under the government-funded program, it’s an attractive offering. However, what it comes installed with is appalling.

The first questionable app [is] PUP.Riskware.Autoins.Fota.fbcvd …  a variant of Adups, a China-based company caught collecting user data [and] creating backdoors. … From the moment you log into the mobile device [it] starts auto-installing apps [with] no user consent. … This opens the potential for malware to unknowingly be installed in a future update … at any time.

Another unremovable pre-installed malicious app [is] the mobile device’s own Settings app [which] functions as a heavily-obfuscated malware … Trojan.Dropper.Agent.UMX. [It] shares characteristics with two other variants of known mobile Trojan droppers [and] the code is almost identical [so] we can confidently confirm a match. [It] drops another piece of malware known as … Trojan.HiddenAds.

Pre-installed malware continues to be a scourge for users of mobile devices. But … use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision.

We informed Assurance Wireless of our findings and asked them point blank why a US-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we … never heard back.

Where did this guv’mint program come from? 0100010001010011 looks back:

 The program was started under FDR as the Rural Electrification Act. … Amended in 1944 to include loans to telephone companies and establish a “Rural Telephone Administration”.

Modified by the Telecommunications Act of 1996 [under Clinton]. Updated to include cell phones by [George W.] Bush.

So surely the FCC will act? Obsydia is slightly sarcastic:

 Pai will get right on that.

But Chris Summers does not a swallow make: [You’re fired—Ed.]

 The fact that it’s a for-profit Anti-virus software company who’s basically making these claims should be raising all kinds of alarm bells.

And aexcorp wonders where the “there” is:

 This type of pre-installed malware is not uncommon on really cheap and *****y phones (e.g., BLU). The government most certainly never did any actual due diligence on the phones themselves (and if any was done, it was by people without anything close to the expertise needed to determine this type of issue). They just picked [the] cheapest option.

It’s not just Unimax, alleges fred911:

 ANS also does the exact same thing. No matter what the user blocks from execution on the phone, it calls malware for installation.

So, not only are these companies making their income from the US Government, they are also installing adware using the bandwidth allocated to the plan that we pay for. In addition, these phones are generally given to those that have the least knowledge or availability for support.

It’s a criminal enterprise that the providers of subsidized phones have been doing without anyone saying one word, or without accountability. This is done to those that need the most protection, it’s shameful.

And kchaxcer says it runs much deeper:

 The storage scanner in the Device Care section is made by a super shady Chinese data-mining/antivirus company called Qihoo 360. It comes pre-installed on your Samsung phone or tablet, communicates with Chinese servers, and you cannot remove it.

Those in the West may not be familiar with this company, but it’s a very shady company … that has utilized many dirty tricks to attempt getting a larger market share. Its antivirus (for PC) is so notorious that it has garnered a meme status in China, Hong Kong, Taiwan and other Chinese speaking countries. [It] would actively search for and mark other competitors’ products as a threat and remove them [and] force installation of 360’s browser bars.

The Storage scanner on your phone have full access to all your personal data (since it’s part of the system), and by Chinese laws and regulations, would send these data to the government when required. … I’m extremely disappointed in Samsung’s business decision. … I chose Samsung for its premium build quality, and of course, less involvement from the Chinese government.

Meanwhile, haunebu snarks it up:

 Uh oh! Some government bureaucrat is about to not get fired.

And Finally:

The surprising history of regex

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Richi Jennings

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi