Some FCC Subsidized Low Income Phones Are A Chinese Malware Shitshow
from the ill-communication dept
We've long talked about the problems with the FCC's Lifeline program, which was created by Reagan and expanded by Bush Junior (yet somehow earned the nickname "Obamaphone"). The $2 billion program doles out a measly $9.25 per month subsidy that low-income homes can use to help pay a tiny fraction of their wireless, phone, or broadband bills (enrolled participants have to choose one). But for years, the FCC has struggled to police fraud within the program, with big and small carriers alike frequently caught "accidentally" getting millions in taxpayer dollars they didn't deserve.
Late last week another issue popped up with the government program, albeit of a different variety. Researchers over at MalwareBytes discovered that one-such government-subsidized low income wireless carrier, Assurance Wireless by Virgin Mobile, has been selling devices to low-income customers that are riddled with malware. One of the questionable apps pre-loaded on the device is dubbed "wireless update," and opens the door to malicious apps being installed without user awareness or consent:
"Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers."
Neat! Another malware app actually poses as the device's settings app, and can't be removed at all:
"It’s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device’s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable."
When notified by journalists and lawmakers (Wyden) of the problem, the Ajit Pai FCC did what it's now infamous for, nothing:
The FCC is declining to say whether it’ll investigate @iblametom’s report concerning Chinese malware found in one Lifeline provider’s Android devices.
All it’s saying is that the FCC is not the provider of the service and that Lifeline $$ doesn’t pay for handsets.
— Brian Fung (@b_fung) January 9, 2020
Sure, Lifeline doesn't fund handsets, but it does fund this particular carrier, which would quickly take action if it meant losing taxpayer money. This is technically part of a broader problem the FCC/FTC don't seem too concerned about: the market, left to its own devices, is slowly turning things like privacy and security into luxury features exclusive to those who can afford it. A recent study by Privacy International found that the low-income budget phones we throw at the poor with pride routinely come with outdated OS', malware, and other issues we don't seem to care much about.
Filed Under: fcc, lifeline, malware, subsidies
Companies: assurance wireless
