Anti-malware company Malwarebytes said the phone provider, Sprint's Assurance Wireless offers its most affordable Android smartphone, the Chinese-made UMX, for only $35 with free data, texts and minutes through the government support program Lifeline.
The catch? The devices come with several pre-installed Chinese malware applications, Malwarebytes found in its investigation into the phone after receiving multiple complaints from the recipients of these devices.
"Lifeline...does not fund hardware or apps," the Federal Communications Commission (FCC) told FOX Business in a statement. "In fact, it is federal law that Lifeline funds are prohibited from supporting the cost of the handset or any other end-user device. The FCC urges Lifeline providers to protect consumers from adware and malware."
Sprint said in a statement that it is aware of the issue and is in touch with the device's manufacturer to "understand the root cause." It added, however, that after conducting its own tests, it does not "believe the applications described in the media are malware."
Malwarebytes senior analyst Nathan Collier called the findings "appalling" in his report. Malwarebytes purchased one of the phones in question to conduct the study.
"It is outrageous that taxpayer money may be going to companies providing insecure, malware-ridden phones to low-income families," Sen. Ron Wyden (D-OR), who has been a staunch advocate of tech privacy, told Forbes. "I’ll be asking the FCC to ensure Americans that depend on Lifeline Assistance aren’t paying the price with their privacy and security."
One malware application identified by Malwarebytes called Adups, which comes preinstalled on the device and is disguised as a Wireless Update program, downloads apps without user consent almost immediately after the phone is put to use.
"This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time," Collier wrote.
A second malicious application officially identified by Malwarebytes on Friday, which is also preinstalled on the UMX phones, was discovered in the phone's Settings app. While the settings function normally, there is a hidden malware in the settings called HiddenAds, which can infect a device with belligerent pop-up ads.
HiddenAds "runs silently in the background and does not create an app icon. Evidence of its running in the background can be seen in the mobile device’s notifications," according to an update in the report. This application can be removed from the app itself, which is tricky to identify since it appears as a blank space rather than an icon on a user's device.
Collins notes in his report that it is "important to realize that UMX isn’t alone. There are many reports of budget manufacturers coming pre-installed with malware, and these reports are increasing in number. Although I don’t have the answer to this widespread issue, I can say that U.S. citizens using the Lifeline Assistance Program and many others on a tight budget deserve more. Stay safe out there."
The findings highlight continued efforts by the Chinese to infiltrate U.S. technology and seemingly little effort by a government-funded program to address the issue. Assurance Wireless did not respond to FOX Business' or Malwarebytes' requests for comment.
This article has been updated to change the name "Lifeline Assistance" to "Lifeline" and reflect that the program is government-supported.