Rameez Anwar's phone was in serious trouble. The device, which was paid for by the government-funded Lifeline program for low-income people, was overflowing with pop-up ads rendering it unusable. Despite multiple factory resets, the problem would not go away.
"As soon as it discovered the Internet," said Anwar, "it started pop-ups."
For more of that
Subscribe to the mobile newsletter, receive notifications and see related articles on CNET.
Anwar, who says he has tinkered with computers since childhood, suspected that the phone had malware installed. So he sent it to Nathan Collier, a researcher at Malwarebytes.
Collier confirmed Anwar's assumption: the phone's settings and the update apps contained code with which malicious apps, so-called adware, could be loaded. The adware displayed ads covering users' screens regardless of what they were doing on their phones.
Adware is not just a problem for Anwar and others using the same American Network Solutions phone model. Because the phones and their service plans were subsidized by a US program, taxpayers funded the data used to display the advertising campaigns. In addition, the adware prevented the phones from doing their intended job: connecting people on low incomes to essential services via the phone and the Internet.
There is evidence that preinstalled malware plagues inexpensive phones around the world. Earlier this year, Collier found preinstalled malware, a wide variety of intrusive or dangerous apps, on a Unimax phone distributed by the Lifeline program. Collier says he often sees similar malware on cheap phones outside of the Lifeline program. A BuzzFeed research found that inexpensive phones popular in African countries had similar problems.
Unimax said in a statement in January that it had created a security patch to fix a vulnerability in its settings app. However, it did not agree with Malwarebytes that the vulnerability in the app was qualified as "malware". American Network Solutions could not be reached for comment.
By essentially rendering phones unusable, adware puts people on low incomes at risk of being cut off from the world, which is particularly problematic during the coronavirus pandemic. Families have difficulty connecting to the Internet for their children's education. Low-income people, some of whom are homeless, rely on their devices to keep in touch with doctors who cannot see them in person and apply for services. In California, approximately 14,000 people living alone in hotel rooms rely on phones to prevent loneliness after being evacuated from homeless shelters.
"Your connection to the world and the Internet is through phones," said Collier.
How the adware got onto cell phones
Looking at Anwar's phone, Collier found that the Settings app and the Update app could covertly install third-party software on the user's phone. Users cannot uninstall either app without rendering the devices unusable.
Collier found a way to turn off the malicious code without completely uninstalling the apps. However, users need to connect their phones to a laptop and run special software. A laptop may not be available for those in the Lifeline program and the instructions may be challenging for those without training.
Collier found that the update app was installing four different versions of adware, which is why Anwar may find that the ads were overwhelming his device.
In response to a request for comment, Anwar's network operator Assurance Wireless CNET referred in January to the statement made by the phone manufacturer Unimax. It also delivered a letter to US Sens. Richard Blumenthal and Ron Wyden, both from Oregon, in response to questions the Senators asked them about Malwarebytes' results. In the letter, the company reiterated Unimax's claim that code in the apps was a "security hole" and was not malware.
"It appears that Malwarebytes has incorrectly identified legitimate features as malware," the company said in its letter.
Assurance Wireless did not provide a specific answer to recent American Network Solutions telephone findings. Since the identified code Malwarebytes' settings and updates to apps can cause unwanted adware to be stealthily loaded, the researchers found that the apps contain malware.
Government sponsored phones
The Lifeline program is overseen by the FCC. The telephone service providers usually either act as subsidiaries of well-known telephone providers or operate their services via the networks of the major mobile phone providers. Assurance Wireless is a division of T-Mobile.
Collier said he did not know how the malicious code got on the phone because third parties could access the phone's software at various points in the manufacturing process. He added that he had no way of knowing whether either the phone manufacturer or network operators were aware of the issues before Malwarebytes released its findings.
Budget phone manufacturers typically use pre-built software from Android for apps that control settings and updates. It would be illegal for the phone maker to tweak these apps to allow the secret installation of adware as they would make money from ad impressions and clicks made possible by Lifeline funds.
"It is federal law that Lifeline funds cannot bear the cost of the handset or other end-user devices or software," an FCC spokesman said in a statement. "The security of American cell phones is vital and the FCC urges Lifeline providers to protect consumers from adware and malware."
The agency declined to answer a question about whether they were investigating Malwarebytes results on both phone models.
Other ways malware can get in
It is entirely possible that phone manufacturers are not aware of the phones's harmful capabilities before making it out to users. Instead, thin bezels on the devices could cause phone manufacturers to scrutinize the software on their phones less thoroughly than a well-known brand, said Ken Hyers, mobile analyst at Strategic Analytics.
Hyers, who was not involved in the Malwarebytes research, said he could only speculate about how malicious code got onto the apps. A plausible place to do this would be in what is known as a software review house - a third-party service that checks the code for phone manufacturers before it is installed on devices.
Someone who works in the review house could insert the malicious code into the apps, Hyers said.
"Unless they have been compared line by line with the code that was sent to the test house," he said. "you wouldn't find it."
Lifeline phones that cannot be used
Anwar, 37, said he has a low-wage job and lives with roommates in Virginia. He did not order a new device through the Lifeline program. Instead, he uses a phone that he received as a gift and a friend pays the monthly bills.
He hopes the donation of his Lifeline phone to Malwarebytes will help raise awareness of the problem with other Lifeline users. Phones are not a luxury, he said. Everyone needs a phone to apply, call 911, contact doctors, and keep in touch with loved ones.
"Every single cell phone user deserves unrestricted access to calls and text messages," he said.
