Government-Subsidized Lifeline Phones Pre-installed with Malware

Government-subsidized phones for the FCC’s Lifeline Assistance program, designed to provide phones and internet access to assist low-income Americans, were sold with pre-installed, unremovable malware, according to anti-malware software provider Malwarebytes. The malware cannot be removed from the Android phone without causing the device to stop working.

Virgin Mobile’s Assurance Wireless program sold the Unmiax U683CL smartphone with the malware for $35 to qualifying users. Under the program, consumers get a free Android phone, with free data, texts, and minutes. Researchers from Malwarebytes noted that the two malware apps look like and operate as intended, controlling device updates and settings respectively; removing those apps would render the phone inoperable. The malware can auto-install other apps and can aggressively display advertisements. They also create a backdoor on the device, which could compromise a user’s private data. The malware codenames use Chinese characters for variable names, which could link the malware to China, where the phones were manufactured. In a blog post, Malwarebytes identified a way to remove the malware, but not without consequences to the user.

Representatives from Sprint, which owns Virgin Mobile, stated the company did not believe the apps contained malware. “We are aware of this issue and are in touch with the device manufacturer Unimax to understand the root cause, however, after our initial testing we do not believe the applications described in the media are malware.”

Wireless Update is designed to be used to update the phone. However, the malicious code on the Wireless Update app was “infected with a variant of HiddenAds…detect[ed] as Android/Trojan.HiddenAds.WRACT…It runs silently in the background and does not create an app icon. Evidence of its running in the background can be seen in the mobile device’s notifications.” The second malicious code is embedded within the settings app. The code is “Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar … because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.”

This malware is problematic, especially because it came pre-installed. According to Malwarebytes’ report, “[f]rom the moment you log into the mobile device, Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own. While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.” This could lead to a user’s personal information to be compromised as a result of the pre-installed malware and potential for the installation of more malware.

Malwarebytes notes that “[b]ecause the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.” Further, “uninstall the Settings app, and you just made yourself a pricey paper weight.” 

Malwarebytes also stated, “[b]udget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware?”

“It is outrageous that taxpayer money may be going to companies providing insecure, malware-ridden phones to low-income families,” Senator Ron Wyden (D-OR) stated. “I’ll be asking the FCC to ensure Americans that depend on Lifeline Assistance aren’t paying the price with their privacy and security.”