Were our readers right? Are free government cell phones hacked before they’re activated?

Endless pop-up ads siphon off data paid for with federal subsidies in the Lifeline program, researchers found.

Over the years, numerous readers have told us that their free government cell phones were hacked from the moment they turned them on. Now it turns out that researchers are saying it’s true. Phones from some Lifeline companies came with malware that causes an endless series of pop-up ads, eating up data even when the phone isn’t being used.

Nathan Collier, a researcher at Malwarebytes, investigated. Here’s how cnet.com details what he found:

The phone’s settings and update apps contained code that allowed them to load malicious apps known as adware. The adware displayed ads that covered users’ screens, no matter what they were doing on their phones.

…Because the phones and their service plans were subsidized by a US program, taxpayers were funding the data that was used to display the promotional campaigns. On top of that, the adware prevented the phones doing their intended job: keeping low-income people connected to vital services via phone and internet.

Evidence suggests pre-installed malware plagues inexpensive phones around the world. Earlier this year, Collier found pre-installed malware, a broad range of disruptive or dangerous apps, on a phone made by Unimax and distributed by the Lifeline program. Collier says he frequently sees similar malware on cheap phones outside the Lifeline program.

Unimax, the manufacturer of the phones, didn’t particularly care for Collier’s characterization of the problem as “malware.” It called the problem “a vulnerability in its settings app.” In other words, it is taking the position that this was just a wee bit of a problem, an accidental oversight, so to speak, and that they jumped right in and solved that pesky little issue.

But it’s not just an insignificant problem. If your cell phone begins displaying one pop-up ad after another ad infinitum, it renders the device unusable and, therefore, worthless. Low-income Americans have come to depend on their free government cell phones for contacting doctors, for finding jobs, and for everyday survival.

Assurance Wireless, one of the largest Lifeline companies, disputes Collier’s findings. CNET.com notes:

In response to a request for comment, Anwar’s carrier, Assurance Wireless, referred CNET to phone maker Unimax’s statement in January. It also supplied a letter it sent to US Sens. Richard Blumenthal of Connecticut and Ron Wyden in response to questions the senators asked them about the Malwarebytes findings. In the letter, the company repeated Unimax’s assertion that code in the apps amounted to a “security vulnerability” and was not malware.

“It appears that Malwarebytes was incorrectly identifying legitimate functions as malware,” the company said in its letter.

The Federal Communications Commission, the agency that oversees the Lifeline program, issued one of its typical wishywashy statements.

“It is federal law that Lifeline funds are prohibited from supporting the cost of the handset or any other end-user device or software,” an FCC spokesperson gravely intoned. “The security of Americans’ cell phones is critical, and the FCC urges Lifeline providers to protect consumers from adware and malware.” 

And then the FCC decided that discretion is the better part of valor, or that cowardice is the better part of keeping your government job, and clammed up when asked if it’s investigating the Malwarebytes findings on either phone model.

This really is an outrageous situation. Why bother spending billions of dollars on the Lifeline free government cell phone program if those cell phones are rendered useless?

The government spends incalculable hours and dollars investigating fraud in the Lifeline program and enforcing rules designed to root out fraud, waste and abuse. Why bother with any of it when this sort of fraud is so much more damaging?