Some FCC Subsidized Low Income Phones Are A Chinese Malware Shitshow

from the ill-communication dept

We’ve long talked about the problems with the FCC’s Lifeline program, which was created by Reagan and expanded by Bush Junior (yet somehow earned the nickname “Obamaphone”). The $2 billion program doles out a measly $9.25 per month subsidy that low-income homes can use to help pay a tiny fraction of their wireless, phone, or broadband bills (enrolled participants have to choose one). But for years, the FCC has struggled to police fraud within the program, with big and small carriers alike frequently caught “accidentally” getting millions in taxpayer dollars they didn’t deserve.

Late last week another issue popped up with the government program, albeit of a different variety. Researchers over at MalwareBytes discovered that one-such government-subsidized low income wireless carrier, Assurance Wireless by Virgin Mobile, has been selling devices to low-income customers that are riddled with malware. One of the questionable apps pre-loaded on the device is dubbed “wireless update,” and opens the door to malicious apps being installed without user awareness or consent:

“Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That?s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.”

Neat! Another malware app actually poses as the device’s settings app, and can’t be removed at all:

“It?s with great frustration that I must write about another unremovable pre-installed app found on the UMX U683CL phone: the mobile device?s own Settings app functions as a heavily-obfuscated malware we detect as Android/Trojan.Dropper.Agent.UMX. Because the app serves as the dashboard from which settings are changed, removing it would leave the device unusable.”

When notified by journalists and lawmakers (Wyden) of the problem, the Ajit Pai FCC did what it’s now infamous for, nothing:

Sure, Lifeline doesn’t fund handsets, but it does fund this particular carrier, which would quickly take action if it meant losing taxpayer money. This is technically part of a broader problem the FCC/FTC don’t seem too concerned about: the market, left to its own devices, is slowly turning things like privacy and security into luxury features exclusive to those who can afford it. A recent study by Privacy International found that the low-income budget phones we throw at the poor with pride routinely come with outdated OS’, malware, and other issues we don’t seem to care much about.

Filed Under: , , ,
Companies: assurance wireless

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Some FCC Subsidized Low Income Phones Are A Chinese Malware Shitshow”

Subscribe: RSS Leave a comment

This comment has been flagged by the community. Click here to show it.

Zof (profile) says:

And then there's objective reality.

Objective reality, where the company behind Adups, Qihoo 360, is the respected security company that reported the latest vulnerability in Firefox. Probably why the story doesn’t mention that Adups is theirs. It would ruin the narrative. And that in China, the Adups utility is just a firmware tool everyone uses. And that absolutely zero evidence has been presented to date that Adups has ever been used for anything nefarious. But it "could" be. And you stoke that with a little racism, and suddenly you have a Malwarebytes clickbait device.

Anonymous Coward says:

Re: And then there's objective reality.

Okay, admittedly it’s a Zof comment, and the comment itself is utter gibberish, but there seems to be a tiny flash of insight peeking through the clouds of lunacy.

Adups does in fact appear to be a firmware updater program, and claims that the reason it was marked as a malware provider in the first place was that one particular version of its software, to one customer, accidentally included elements of its software meant for hardware monitoring purposes; yes, they put out a software update that included a mechanism to raid the device’s memory for SMS messages but, speaking as a programmer myself, that’s probably because someone at the company included some method from a library that included that functionality, and ended up including all of the associated functionality in the product. An analogy might be that it included a "hand" function that it used for its "counting on fingers" functionality and nothing else, but by including the "hand" code, it pulled in all the functionality for pickpocketing, even if that code was never used.

Or they could be a bunch of rampant data thieves. I don’t work for ’em, so I don’t know.
There’s definitely a big chunk of nuance lacking in this story though, which is somewhat ironic considering it’s appearing so close to Mike’s heart-searching article about Larry Lessig’s SLAPP suits…

Anonymous Coward says:

Re: Re: And then there's objective reality.

Oh, and there are plenty of viable reasons for such functionality, particularly if the overall software company manufactures any kind of hardware monitoring device that communicates via SMS and sends those SMS messages back to a central server to log and potentially do some off-device calculations.

Perfectly reasonable functionality that’s, indeed, a security nightmare and PR horror show if it’s accidentally released onto a consumer handset.

Scary Devil Monastery (profile) says:

Re: Re: And then there's objective reality.

"An analogy might be that it included a "hand" function that it used for its "counting on fingers" functionality and nothing else, but by including the "hand" code, it pulled in all the functionality for pickpocketing, even if that code was never used."

It does get confusing. Consider that even as a user of an android app you’ll be asked to allow the new app to access phone calls (to allow incoming phone calls to pause the app in question), gallery and storage space (to allow snapshots and save functions), etc, etc.

All of which are perfectly legitimate uses but which could also be used for all sorts of outrageous and malicious fuckery.

Dual use bites as hard against common consumers as it does to ultra-authoritarian law enforcement, in the end. The only preventative measure is to take a deeper interest in what a given app actually does, why it does so, and check security pages for alerts mentioning the app or app manufacturer in question.

Actual security companies have to err on the side of caution so will naturally flag every app capable of accessing sensitive areas without known mitigation as a PUP or possible malware.

That said Zof’s statement above; "…that in China, the Adups utility is just a firmware tool everyone uses." says nothing much at all, because in China if your carrier hands you a phone loaded to the brim with government rootkits you’ll simply use it and like it. Or else.

This comment has been deemed insightful by the community.
Koby (profile) says:


The devices got the name because, at a time when there was massive fraud, and parents with iPhones who qualified for the program signed up anyhow so that they could give a free phone to their kid, the Obama administration ENCOURAGED the program instead of shutting it down. The comparison is that both the phone program and the administration were phonies.

Anonymous Coward says:

but these are ok to let the low paid have! the company to stop is Huawei because it produces far better products than similar American ones, are cheaper, safer, more reliable and get updated more often. the only problem found with any Huawei product is by Mr President and that’s probably because they wont let him buy into it!!

Scary Devil Monastery (profile) says:

Re: Re: Re:

"Is there any data in support of your allegation?"

Well, there is, as far as he ran the snarcastic summary. Huawei’s products are, by most tech standards far better than comparable american ones in the same price range.

Motorola would have been the exception except that it’s now owned by Lenovo and therefore also Chinese.

Essentially the only really american smartphone I can think of right now is the iPhone…and that comes in at price ranges about 30% higher than the same functionality on a similar quality android phone, usually. And given that most of it is "made in china" the US label is somewhat tentative as well.

Huawei’s routers and switches were the primary cause the US declared specific sanctions on them, and after extensive fact-checking by independent experts the only possible reason which stands out would be that their routers are cheaper than Ciscos while still offering the same functionality, and that with 5G being hyped so hard the white house doesn’t want a chinese company to make out like a bandit on US soil.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...