Some FCC Subsidized Low Income Phones Are A Chinese Malware Shitshow
from the ill-communication dept
We've long talked about the problems with the FCC's Lifeline program, which was created by Reagan and expanded by Bush Junior (yet somehow earned the nickname "Obamaphone"). The $2 billion program doles out a measly $9.25 per month subsidy that low-income homes can use to help pay a tiny fraction of their wireless, phone, or broadband bills (enrolled participants have to choose one). But for years, the FCC has struggled to police fraud within the program, with big and small carriers alike frequently caught "accidentally" getting millions in taxpayer dollars they didn't deserve.
Late last week another issue popped up with the government program, albeit of a different variety. Researchers over at MalwareBytes discovered that one-such government-subsidized low income wireless carrier, Assurance Wireless by Virgin Mobile, has been selling devices to low-income customers that are riddled with malware. One of the questionable apps pre-loaded on the device is dubbed "wireless update," and opens the door to malicious apps being installed without user awareness or consent:
"Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers."
Neat! Another malware app actually poses as the device's settings app, and can't be removed at all:
"It’s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable."
When notified by journalists and lawmakers (Wyden) of the problem, the Ajit Pai FCC did what it's now infamous for, nothing:
The FCC is declining to say whether it’ll investigate @iblametom’s report concerning Chinese malware found in one Lifeline provider’s Android devices.
All it’s saying is that the FCC is not the provider of the service and that Lifeline $$ doesn’t pay for handsets.
— Brian Fung (@b_fung) January 9, 2020
Sure, Lifeline doesn't fund handsets, but it does fund this particular carrier, which would quickly take action if it meant losing taxpayer money. This is technically part of a broader problem the FCC/FTC don't seem too concerned about: the market, left to its own devices, is slowly turning things like privacy and security into luxury features exclusive to those who can afford it. A recent study by Privacy International found that the low-income budget phones we throw at the poor with pride routinely come with outdated OS', malware, and other issues we don't seem to care much about.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fcc, lifeline, malware, subsidies
Companies: assurance wireless
Reader Comments
Subscribe: RSS
View by: Time | Thread
And then there's objective reality.
Objective reality, where the company behind Adups, Qihoo 360, is the respected security company that reported the latest vulnerability in Firefox. Probably why the story doesn't mention that Adups is theirs. It would ruin the narrative. And that in China, the Adups utility is just a firmware tool everyone uses. And that absolutely zero evidence has been presented to date that Adups has ever been used for anything nefarious. But it "could" be. And you stoke that with a little racism, and suddenly you have a Malwarebytes clickbait device.
[ link to this | view in chronology ]
Re: And then there's objective reality.
Okay, admittedly it's a Zof comment, and the comment itself is utter gibberish, but there seems to be a tiny flash of insight peeking through the clouds of lunacy.
Adups does in fact appear to be a firmware updater program, and claims that the reason it was marked as a malware provider in the first place was that one particular version of its software, to one customer, accidentally included elements of its software meant for hardware monitoring purposes; yes, they put out a software update that included a mechanism to raid the device's memory for SMS messages but, speaking as a programmer myself, that's probably because someone at the company included some method from a library that included that functionality, and ended up including all of the associated functionality in the product. An analogy might be that it included a "hand" function that it used for its "counting on fingers" functionality and nothing else, but by including the "hand" code, it pulled in all the functionality for pickpocketing, even if that code was never used.
Or they could be a bunch of rampant data thieves. I don't work for 'em, so I don't know.
There's definitely a big chunk of nuance lacking in this story though, which is somewhat ironic considering it's appearing so close to Mike's heart-searching article about Larry Lessig's SLAPP suits...
[ link to this | view in chronology ]
Re: Re: And then there's objective reality.
Oh, and there are plenty of viable reasons for such functionality, particularly if the overall software company manufactures any kind of hardware monitoring device that communicates via SMS and sends those SMS messages back to a central server to log and potentially do some off-device calculations.
Perfectly reasonable functionality that's, indeed, a security nightmare and PR horror show if it's accidentally released onto a consumer handset.
[ link to this | view in chronology ]
Re: Re: And then there's objective reality.
"An analogy might be that it included a "hand" function that it used for its "counting on fingers" functionality and nothing else, but by including the "hand" code, it pulled in all the functionality for pickpocketing, even if that code was never used."
It does get confusing. Consider that even as a user of an android app you'll be asked to allow the new app to access phone calls (to allow incoming phone calls to pause the app in question), gallery and storage space (to allow snapshots and save functions), etc, etc.
All of which are perfectly legitimate uses but which could also be used for all sorts of outrageous and malicious fuckery.
Dual use bites as hard against common consumers as it does to ultra-authoritarian law enforcement, in the end. The only preventative measure is to take a deeper interest in what a given app actually does, why it does so, and check security pages for alerts mentioning the app or app manufacturer in question.
Actual security companies have to err on the side of caution so will naturally flag every app capable of accessing sensitive areas without known mitigation as a PUP or possible malware.
That said Zof's statement above; "...that in China, the Adups utility is just a firmware tool everyone uses." says nothing much at all, because in China if your carrier hands you a phone loaded to the brim with government rootkits you'll simply use it and like it. Or else.
[ link to this | view in chronology ]
Etymology
The devices got the name because, at a time when there was massive fraud, and parents with iPhones who qualified for the program signed up anyhow so that they could give a free phone to their kid, the Obama administration ENCOURAGED the program instead of shutting it down. The comparison is that both the phone program and the administration were phonies.
[ link to this | view in chronology ]
Re: Etymology
Thanks Obama
[ link to this | view in chronology ]
Re: Etymology
Also because there's one thing you can do with Obama's name that you can't due with Bush's or Reagan's:
RING RING RING RING RING RING RING...
OBAMAPHONE!
[ link to this | view in chronology ]
but these are ok to let the low paid have! the company to stop is Huawei because it produces far better products than similar American ones, are cheaper, safer, more reliable and get updated more often. the only problem found with any Huawei product is by Mr President and that's probably because they wont let him buy into it!!
[ link to this | view in chronology ]
Re:
Is there any data in support of your allegation?
[ link to this | view in chronology ]
Re: Re:
"Is there any data in support of your allegation?"
Well, there is, as far as he ran the snarcastic summary. Huawei's products are, by most tech standards far better than comparable american ones in the same price range.
Motorola would have been the exception except that it's now owned by Lenovo and therefore also Chinese.
Essentially the only really american smartphone I can think of right now is the iPhone...and that comes in at price ranges about 30% higher than the same functionality on a similar quality android phone, usually. And given that most of it is "made in china" the US label is somewhat tentative as well.
Huawei's routers and switches were the primary cause the US declared specific sanctions on them, and after extensive fact-checking by independent experts the only possible reason which stands out would be that their routers are cheaper than Ciscos while still offering the same functionality, and that with 5G being hyped so hard the white house doesn't want a chinese company to make out like a bandit on US soil.
[ link to this | view in chronology ]
China can get into whatever device they want in the US.
Other annoyances hack the phones too but if China wants in your electronics they are likely to get in.
It is hard to kick out dedicated, well funded hackers from any source.
[ link to this | view in chronology ]
Re:
"China can get into whatever device they want in the US."
Not when it is in the microwave.
[ link to this | view in chronology ]
FCC: then let them eat cake!
(Except the cake is infested with worms and other maladies)
[ link to this | view in chronology ]
0bamaphone
[ link to this | view in chronology ]