Incident Details

Incident: Preinstalled Malware on US Government Subsidized Android Phones.

Published Date: 2020-01-11

Postmortem Analysis
Timeline	1. The software failure incident with the UMX U686CL Android phone subsidized by the US government for low-income users happened when researchers reported it on Thursday, as mentioned in the article [94557]. 2. Published on 2020-01-11 08:00:00+00:00. Estimation: The incident occurred on Thursday before the article was published on January 11, 2020. Therefore, the software failure incident likely happened on January 9, 2020.
System	1. UMX U686CL Android phone provided by Virgin Mobile's Assurance Wireless program [94557]
Responsible Organization	1. The UMX U686CL Android phone subsidized by the US government for low-income users was responsible for causing the software failure incident by coming preinstalled with malware that cannot be removed without making the device cease to work [Article 94557].
Impacted Organization	1. Low-income users enrolled in the Lifeline Assistance program [94557]
Software Causes	1. The failure incident was caused by preinstalled malware on the UMX U686CL Android phone provided by Virgin Mobile's Assurance Wireless program, which included: - Hidden library named com.android.google.bridge.Liblmp that installs software displaying aggressive ads [94557]. - Wireless Update app that automatically installs unwanted apps without user consent [94557].
Non-software Causes	1. The UMX U686CL Android phone subsidized by the US government for low-income users came preinstalled with malware that couldn't be removed without making the device cease to work, as reported by researchers [Article 94557].
Impacts	1. The preinstalled malware on the UMX U686CL Android phone subsidized by the US government for low-income users resulted in the installation of adware and unwanted apps without user knowledge or permission, making it virtually impossible to remove without rendering the device inoperable [Article 94557]. 2. The Wireless Update feature on the UMX U686CL automatically installed apps without user consent, posing a security risk and preventing the phone from receiving updates, potentially leaving the device vulnerable to future threats [Article 94557]. 3. The presence of preinstalled malware and potentially unwanted programs on low-cost phones like the UMX U686CL compromises user security and privacy, particularly impacting low-income users who may not have the resources to purchase phones from mainstream and well-known providers [Article 94557].
Preventions	1. Conducting thorough security assessments and audits before distributing subsidized phones to low-income users could have prevented the software failure incident [94557]. 2. Implementing strict guidelines and oversight on preinstalled apps and software to ensure they do not contain malware or unwanted features could have prevented the incident [94557]. 3. Providing users with the ability to easily remove or disable preinstalled apps that are deemed unwanted or potentially harmful could have prevented the incident [94557].
Fixes	1. Conduct a thorough investigation to identify the root cause of the malware preinstalled on the UMX U686CL device [94557]. 2. Work with the device manufacturer, Unimax, to address the issue and ensure that future devices are not preinstalled with malware [94557]. 3. Implement a software update that removes the hidden library and the Wireless Update feature that automatically installs apps without user consent [94557].
References	1. Malwarebytes researchers [Article 94557] 2. Sprint officials [Article 94557]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident of preinstalled malware on low-cost Android phones has happened before at other organizations or with their products and services. The article mentions incidents of preinstalled malware on low-cost Android phones from various providers and manufacturers, including a backdoor on BLU devices, a powerful backdoor and rootkit also on BLU devices, and covert downloaders on 26 different phone models from various manufacturers [Article 94557]. (b) The software failure incident of preinstalled malware on low-cost Android phones has happened again at the organization providing the UMX U686CL phone subsidized by the US government for low-income users. Malwarebytes researchers reported that the UMX U686CL phone provided by Virgin Mobile's Assurance Wireless program comes preinstalled with malware that cannot be removed without making the device cease to work. This incident highlights a recurring issue of preinstalled malware on low-cost phones provided to low-income users [Article 94557].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase is evident in the article. The UMX U686CL Android phone subsidized by the US government for low-income users comes preinstalled with malware that cannot be removed without causing the device to cease working. The malware is hidden in the phone's settings app, making it virtually impossible to uninstall, as the phone cannot operate properly without it. This design flaw allows for the installation of unwanted apps without user consent, posing a significant security risk [94557]. (b) The software failure incident related to the operation phase is also highlighted in the article. The UMX U686CL phone's Wireless Update feature, which is meant to provide a mechanism for downloading and installing phone updates, automatically loads a barrage of unwanted apps without user permission. This operation flaw results in apps being installed on the device without any user consent, compromising user experience and potentially exposing users to security risks [94557].
Boundary (Internal/External)	within_system	(a) The software failure incident reported in the article is primarily within_system. The failure was due to the UMX U686CL Android phone being preinstalled with malware that cannot be removed without causing the device to cease working. The malware included obfuscated malware that installs adware and unwanted apps without user permission, as well as a feature called Wireless Update that automatically installs apps without user consent. These malicious components were hidden within the phone's settings app, making them virtually impossible to uninstall [94557].
Nature (Human/Non-human)	non-human_actions	(a) The software failure incident in Article 94557 occurred due to non-human actions. The Android phone subsidized by the US government for low-income users came preinstalled with malware that could not be removed without making the device cease to work. The malware included obfuscated malware that installed adware and unwanted apps without user knowledge or permission, as well as an app called Wireless Update that automatically installed apps without user consent [94557].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware: - The UMX U686CL Android phone subsidized by the US government for low-income users comes preinstalled with malware that cannot be removed without making the device cease to work [Article 94557]. (b) The software failure incident related to software: - The UMX U686CL Android phone comes with preinstalled malware, including obfuscated malware that can install adware and other unwanted apps without the user's knowledge or permission [Article 94557]. - The device also has an app called Wireless Update that automatically installs apps without user consent, posing a risk and preventing the phone from receiving updates [Article 94557].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident described in the article is malicious in nature. The Android phone subsidized by the US government for low-income users comes preinstalled with malware that cannot be removed without causing the device to cease functioning. The malware includes obfuscated code that installs adware and unwanted apps without user permission, as well as a feature called Wireless Update that automatically installs apps without user consent. These actions indicate a deliberate intent to harm the users' devices and compromise their security and privacy [94557].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident in Article 94557 can be categorized under poor_decisions. The incident involved a low-cost Android phone subsidized by the US government for low-income users, which came preinstalled with malware that could not be removed without causing the device to cease functioning. The malware included obfuscated software that installed adware and unwanted apps without user consent, as well as a feature called Wireless Update that automatically installed apps without permission. Despite being notified of these findings, the device manufacturer and service provider did not acknowledge the issue as malware, indicating a lack of action to address the preinstalled malware [94557].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident reported in Article 94557 can be attributed to development incompetence. The incident involved a low-cost Android phone subsidized by the US government for low-income users, which came preinstalled with malware that could not be removed without causing the device to cease working. Researchers at Malwarebytes discovered that the device contained obfuscated malware that could install adware and unwanted apps without user knowledge or permission. Additionally, the phone's Wireless Update feature automatically installed apps without user consent, posing a security risk. Despite these findings, Sprint officials initially stated that they did not believe the preinstalled apps were malicious, highlighting a lack of understanding or acknowledgment of the severity of the issue [94557]. (b) The software failure incident can also be considered accidental to some extent. While the preinstalled malware and unwanted apps on the UMX U686CL phone were intentional actions by the manufacturer, the consequences of these actions, such as compromising user security and privacy, could be seen as accidental from the perspective of the end-users who were not aware of the malicious software present on their devices. The automatic installation of apps without user consent through the Wireless Update feature further emphasizes the accidental nature of the incident, as users had no control over the additional software being installed on their devices [94557].
Duration	permanent	(a) The software failure incident described in the article is of a permanent nature. The Android phone subsidized by the US government for low-income users comes preinstalled with malware that cannot be removed without making the device cease to work. The malware is hidden in the phone's settings app, making it virtually impossible to uninstall, as the phone cannot operate properly without it. Uninstalling the Settings app renders the device useless, turning it into a "pricey paperweight" [94557].
Behaviour	crash, omission, value, other	(a) crash: The software failure incident described in the article can be categorized as a crash. The malware hidden in the phone's settings app makes it virtually impossible to uninstall, leading to the device ceasing to work properly without it, essentially rendering it a "pricey paper weight" if the settings app is uninstalled [Article 94557]. (b) omission: The software failure incident can also be related to omission. The Wireless Update feature on the UMX U686CL phone automatically installs apps without user consent, omitting the user's ability to choose whether to install these apps or not [Article 94557]. (c) timing: The timing of the software failure incident is not explicitly mentioned in the article. (d) value: The software failure incident can be associated with a failure in value. The Wireless Update feature on the UMX U686CL phone installs a barrage of unwanted apps without user permission, which poses an unacceptable risk, particularly since removing the feature prevents the phone from receiving updates [Article 94557]. (e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure. (f) other: The software failure incident can be categorized as a failure due to the system behaving in a way not described in the options (a to e). This includes the presence of potentially unwanted programs (PUPs) like the Wireless Update feature that automatically installs apps without user consent, even though the installed apps examined were clean and free of malware [Article 94557].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, non-human, other	(a) death: There is no mention of people losing their lives due to the software failure incident in the provided article [Article 94557]. (b) harm: The article does not mention any physical harm caused to individuals due to the software failure incident [Article 94557]. (c) basic: The software failure incident did not impact people's access to food or shelter [Article 94557]. (d) property: People's material goods, money, or data were impacted due to the software failure incident as the malware installed unwanted apps without user consent, affecting the functionality of the device [Article 94557]. (e) delay: There is no mention of people having to postpone an activity due to the software failure incident in the article [Article 94557]. (f) non-human: Non-human entities were impacted by the software failure incident as the UMX U686CL Android phone subsidized for low-income users came preinstalled with malware that affected its operation and functionality [Article 94557]. (g) no_consequence: There were observed consequences of the software failure incident, particularly related to the installation of unwanted apps and the impact on the device's functionality [Article 94557]. (h) theoretical_consequence: The article discusses potential consequences of compromised security and privacy due to preinstalled malware on low-cost Android phones, but it does not mention any theoretical consequences that did not occur [Article 94557]. (i) other: The software failure incident led to the installation of unwanted apps without user consent, potentially exposing users to security risks and privacy concerns beyond the immediate impact on the device's functionality [Article 94557].
Domain	unknown	(a) The failed system in this incident was related to the telecommunications industry, specifically targeting low-income users through the Lifeline Assistance program [Article 94557].

Sources

This Government-Subsidized Phone Comes With Malware - WIRED - Published on: 2020-01-11
Article ID: 94557

Back to List