At least one low-cost phone model of the type used to access voice and broadband services provided to low-income Americans through the Federal Communications Commission’s (FCC) Lifeline Program has been found to be pre-installed with foreign malware, according to research released by Malwarebytes on Jan. 9.
In response to the report, the FCC pointed out that the Lifeline program does not subsidize phone hardware – only services carried over the phone – and the maker of the phone maintained that its devices’ pre-loaded phone applications do not contain malware.
Under the Federal program, Virgin Mobile’s Assurance Wireless sells the $35 Android smart phone, UMX U686CL. After receiving complaints about the possibility of malicious activity on the phone, Malwarebytes said it discovered two pre-installed apps that can be used to facilitate malware infections.
Obscured by the update and settings applications, UMX U686CL phones contain a variant of Chinese-based Adups and Trojan mobile droppers, respectively. The wireless update app is associated with a company that was previously caught for collecting user data and auto-installs apps without user consent from the moment the phone is turned on, Malwarebytes reports.
“While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user,” the software company explains. “This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by wireless update at any time.”
The Trojan droppers spotted in the settings apps can install bundles of malicious code into a user’s mobile device, the report says.
“Although we have yet to reproduce the dropping of additional malware ourselves, our users have reported that indeed a variant of HiddenAds suddenly installs on their UMX mobile device,” the report explains.
There does not appear to be any easy solution to the malware problem, as uninstalling the applications prevents the user from accessing critical device updates, Malwarebytes cautions.
An FCC spokesperson clarified to MeriTalk that the Lifeline program only provides a subsidy for voice or broadband services, and does not fund hardware or applications.
“It is federal law that Lifeline funds are prohibited from supporting the cost of the handset or any other end-user device. The security of Americans’ cell phones is critical, and the FCC urges Lifeline providers to protect consumers from adware and malware,” the spokesperson said in an email.
Assurance Wireless commented that it is working with the device manufacturer to find the root cause of the issue, but does not believe the applications contain malware.