For years, low-income households have been able to get cheap cell service and even free smartphones via the U.S. government-funded Lifeline Assistance program. One provider, Assurance Wireless, offers a free Android device along with free data, texts and minutes.
It all sounds ideal for those who don’t have the money to splash on fancy Apple or Google phones. But according to security researchers, there’s a catch: the Android phones come with preinstalled Chinese malware, which effectively opens up a backdoor onto the device and endangers their private data. One of the malware types is impossible to remove, according to the researchers.
Researchers at cybersecurity company MalwareBytes said that they had tried to warn Assurance Wireless, a Virgin Mobile company, they had received no response. So the devices likely remain vulnerable today. Forbes was also unable to get a response from the company.
The FCC, which runs Lifeline Assistance, told Forbes the law required its fund not be used by partner carriers for spending on devices. It didn’t clarify how it enforces that law and did not say whether it would be investigating the privacy and security issues discovered by the researchers.
Senator Ron Wyden is now asking the FCC why such phones are being shipped under the program. “It is outrageous that taxpayer money may be going to companies providing insecure, malware-ridden phones to low-income families. I’ll be asking the FCC to ensure Americans that depend on Lifeline Assistance aren’t paying the price with their privacy and security.”
Chinese spyware lurking on Android phones
The affected device is a UMX phone shipped by Assurance Wireless and one of the preinstalled malware, according to MalwareBytes senior analyst Nathan Collier, is the creation of a Chinese entity known as Adups. Though the tool looks and operates as a Wireless Update program, it’s capable of auto-installing apps without any user consent, which it starts doing immediately, according to a MalwareBytes analysis of a device, shared with Forbes ahead of publication. Adups hadn’t responded to a request for comment at the time of publication.
“This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time,” Collier wrote in a blog post published Thursday.
Historically Adups tools have been caught siphoning off private data from phones, including the full-body of text messages, contact lists and call histories with full telephone numbers.
A second malware comes preloaded on the Assurance Wireless-supplied device—the phone’s own Settings app, Collier claimed. Though it operates like a typical Settings application, it proceeds to install malware known as HiddenAds, he added. Previous MalwareBytes research showed this malicious tool would throw up aggressive advertising on the infected phone. As the Settings app is vital to the functionality of the device, it can’t be removed without turning the phone into a useless brick.
Collier told Forbes he was confident every model of the device shipped by Assurance Wireless was infected with both malware types.
His research also highlights a growing problem of preinstalled malware on Android phones. “There appears to be a rise of budget phones in general coming with preinstalled malware,” Collier added. “The fact that the Trojan is tied into a system app that cannot be removed escalates this issue beyond fraud in my opinion.”
But the case in the U.S. has another element in that low-income folk who have been endangered. The question worth asking is: Is privacy only for the rich?