So much for that “free” lunch, huh?
Android phones distributed via a government-sponsored program aimed at granting low-income households access to cheap cell service apparently came pre-equipped with Chinese malware, according to a Forbes report Thursday.
Through its partnership with the federal Lifeline Assistance program (you know, that one Sprint got caught abusing earlier this year?), provider Assurance Wireless offers free Android devices complete with free data, texts, and minutes to low-income applicants. But recently, researchers found that this supposed deal contains several hidden costs. Security researchers with the cybersecurity company MalwareBytes told Forbes that a UMX phone shipped by the company comes preinstalled with multiple strains of malware—at least one of which is impossible to remove—which create a backdoor to users’ private data.
After studying one of these devices, the team traced one of the preinstalled malware back to Adups, a Chinese tech firm with a bit of a reputation for tapping budget Android phones. This tool purportedly masquerades as a Wireless Update program while surreptitiously auto-installing apps without the user’s consent.
“This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time,” MalwareBytes senior analyst Nathan Collier wrote in a company blog post Thursday.
Another piece of malware is reportedly hidden in the phone’s Settings app, which can’t be removed without essentially bricking the device. The app operates exactly how you’d expect, all while secretly installing malware known as HiddenAds in the background. Collier told Forbes he’s confident that all models of that particular device shipped by Assurance Wireless came pre-infected with both strains of malware.
And, perhaps most alarmingly, this is only the latest development in a growing trend, Collier told Forbes; providers have been making a habit of bugging cheap phones.
“There appears to be a rise of budget phones in general coming with preinstalled malware. The fact that the Trojan is tied into a system app that cannot be removed escalates this issue beyond fraud in my opinion.”
Last year, researchers with Avast Threat Labs found more than 100 budget Android devices that shipped with complimentary malware, some of which were embedded into the devices’ essential functions.
MalwareBytes researchers previously tried to warn Assurance Wireless of these vulnerabilities but received no response, per their blog post, so there’s zero reason to believe these devices aren’t still out there, continuing to scrape away at users’ data and install illicit programs. The provider’s parent company, Virgin Mobile, did not immediately respond to Gizmodo’s request for comment.