The US government-funded Lifeline Assistance Program offers a cheap cell service with free smartphones, to low-income Americans since 1985. The scheme is run by the Federal Communications Commission and one provider, Assurance Wireless provides a free Android phone, along with complementary data, minutes, and texts. The UMX U688CL is the most inexpensive Android-based phone, made by a Chinese company.
Under this scheme, users have to pay $10 per month for a 3G device with data between 500 MB to 1 GB. This sounds perfect for people who can’t afford to splash money on fancy smartphones. But, in October 2019, Malwarebytes began to receive complaints that the government-funded phones come with preinstalled Chinese malware.
The researchers at Malwarebytes bought one of these phones to verify customer’s claims. They had even tried to warn Virgin Mobile, the owner of Assurance Wireless, but they didn’t get any response.
One of the preinstalled apps which looks and operates just like a Wireless Update program can install apps automatically, without user consent. The app comes with the ability to update the device, and this is the only option available to update the phone’s operating system. This app is a variant of Adups malware, which has previously reported to transmit calls location, texts, and app data to a Chinese server every 72 hours. Years ago, Adupds started its partnership with budget phone companies, to provide wireless updates.
“Adups provides wireless updates so people can update their operating system, but they’re also just installing random stuff without any user permission whatsoever.”
-Nathan Collier (Senior malware intelligence analyst)
In 2016, a researcher at the cyber-security company, Kryptowire, reported more than 700 million Android smartphones had Adups installed. And, those reports prompted investigations from Google and Homeland Security.
A second app containing malware, on the free Android phones, used code containing Chinese characters. The app operates like a Settings application, but it installs HiddenAds malware. The malware throws aggressive advertising on the infected phone. The Settings app is pivotal to the functionality of the device and removing the app will turn the phone into a useless brick. So, that automatically means the malware could not be removed from the device.
The worst part of these free Android phones is that neither of the applications were removable. UMX U686CL isn’t the only phone, many budget-phones have reported coming with pre-installed malware.
The researchers at Malwarebytes have a way to uninstall these apps for current users. But, this could have consequences on the device. Uninstalling the Wireless Update app would cause users to miss critical updates. And, removing the Settings app would eventually cause the device to turn useless.