The Unimax U683CL

An inexpensive $39 Chinese-made smartphone offered by a U.S. government-subsidized Lifeline mobile phone service provider is wide open to malware and trojan horse apps, leaving users exposed to privacy violations, adware, and auto-installed backdoor apps that might expose some to fraud.

Malwarebytes Labs, an online security company, issued a serious warning to the public about the Unimax U683CL smartphone’s compromised-from-the-box status, and criticized provider Assurance Wireless for selling the phone and ignoring repeated warnings sent to the company about the phone.

“Assurance Wireless by Virgin Mobile offers the UMX U683CL phone as their most budget conscious option. At only $35 [$39 as of Jan. 13, 2020] under the government-funded program, it’s an attractive offering,” Nathan Collier, a senior malware intelligence analyst at Malwarebytes Labs writes in a company blog. “However, what it comes installed with is appalling.”

Malwarebytes began getting complaints about the phone last fall, and secured one to investigate further. It quickly emerged the phone arrived with questionable software pre-installed:

The first questionable app found on the UMX U683CL poses as an updater named Wireless Update. Yes, it is capable of updating the mobile device. In fact, it’s the only way to update the mobile device’s operating system (OS). Conversely, it is also capable of auto-installing apps without user consent.

Thus, we detect this app as Android/PUP.Riskware.Autoins.Fota.fbcvd, a detection name that should sound familiar to Malwarebytes for Android customers. That’s because the app is actually a variant of Adups, a China-based company caught collecting user data, creating backdoors for mobile devices and, yes, developing auto-installers.

From the moment you log into the mobile device, Wireless Update starts auto-installing apps. To repeat: There is no user consent collected to do so, no buttons to click to accept the installs, it just installs apps on its own. While the apps it installs are initially clean and free of malware, it’s important to note that these apps are added to the device with zero notification or permission required from the user. This opens the potential for malware to unknowingly be installed in a future update to any of the apps added by Wireless Update at any time.

The second piece of unremovable malware is the UMX’s own “Settings” app, crucial to operating the phone. Researchers called this “heavily-obfuscated malware” that is detected as Android/Trojan.Dropper.Agent.UMX. This app quietly downloads and installs apps without the user’s permission, most recently including a variant of HiddenAds, which forces users to endure frequent advertising screens on their phone, even when not web browsing.

The malware activates the moment a user powers on their phone for the first time. Most customers will simply be annoyed if ad-related apps automatically install, but with a security-compromised phone opening the door to more malware in the future, this “lowers the bar on bad behavior by app development companies,” according to Collier.

“Budget should not dictate whether a user can remain safe on his or her mobile device. Shell out thousands for an iPhone, and escape pre-installed maliciousness. But use government-assisted funding to purchase a device and pay the price in malware? That’s not the type of malware-free existence we envision at Malwarebytes,” Collier said.

“We informed Assurance Wireless of our findings and asked them point blank why a U.S.-funded mobile carrier is selling a mobile device infected with pre-installed malware? After giving them adequate time to respond, we unfortunately never heard back,” Collier added.

Brindisi, as he appeared in a campaign ad slamming Charter Spectrum in the summer of 2018.

Rep. Anthony Brindisi (D-N.Y.), who made his battle with Spectrum into an election issue in 2018, is not done with the cable company yet.

This week, Brindisi appealed to the Consumer Financial Protection Bureau (CFPB) to launch an investigation into the cable company’s debt collection practices.

“Fighting Spectrum on rising rates also includes making sure they can’t use debt collection as another money-making tactic,” said Brindisi. “And the only way to get to the bottom of this is for the CFPB to ask the questions I outline in my letter.”

Brindisi is targeting Credit Management L.P., a Plano, Tex. collection agency that Spectrum relies on to pursue former customers, often to seek compensation for “lost or unreturned equipment.”

“After believing they had paid their final bill in full and returned their equipment, customers are finding themselves face-to-face with this unknown debt collector from Plano, Texas,” Brindisi told the CFPB. “One former Spectrum customer learned from Credit Management L.P. that they owed over $100 long after amicably ending their service. Spectrum never notified this customer they owed a penny. Instead, they sent them to collections, potentially damaging their credit rating and giving up their social security number and other personal information.”

In some cases, customers are being turned over to the collection agency for as little as an allegedly unreturned remote control. As a result, consumers are ending up with damaged credit because of the reported collection activity.

“The Better Business Bureau has logged hundreds of complaints about Credit Management L.P.,” Brindisi added. “Many of these complaints have been about their debt collection practices related to cable and internet companies. Customers have specifically named Spectrum and other cable companies as the source of the erroneous debt. A consumer should not be sent to a debt collector, without warning, for a missing remote control. That is both unfair and a sneaky way Spectrum might be padding its bottom line, which would be unacceptable, worthy of investigation and potentially in violation of federal rules.”

Brindisi wants the CFPB to determine how many customers are being pursued by Credit Management, L.P., how those customers are contacted, how much of the collection agency’s efforts relate to being compensated for allegedly unreturned equipment as opposed to late or non-payment of monthly cable bills, and how the agency handles customers’ private personal information.  Brindisi also wants the CFPB to determine if the collection practices violate federal law.

Brindisi also urged constituents being contacted by Credit Management L.P., on behalf of Spectrum, to call his office at (315) 732-0713.

In addition to running campaign commercials that slammed Spectrum, Brindisi has doggedly pursued the cable industry as a freshman congressman representing an Upstate New York district extending from the east end of Lake Ontario through Central New York to the Pennsylvania border, including the cities of Utica, Rome and Binghamton. Brindisi introduced the Transparency for Cable Consumers Act, promising to provide better oversight of cable and internet providers and hold companies accountable that are fined by a state Public Service Commission. In November, Brindisi slammed Spectrum in an opinion piece outlining his efforts to hold Spectrum accountable. Brindisi also recently launched a district-wide survey of home internet speeds and service to determine if internet customers are getting advertised internet speeds.

Several progressives were surprised to learn that CREDO Mobile (formerly Working Assets Wireless), a mobile virtual network operator that advocates for progressive causes, today closed down its CREDO Action activism arm and announced it was ceasing all further involvement in activism campaigns.

The CREDO Action website, which had recently been protesting against perceived Republican bias against the impeachment of President Donald Trump, was the advocacy arm of CREDO, a self-described social change organization that funds grassroots activism campaigns and progressive non-profit groups with revenue earned from CREDO branded credit cards, CREDO Mobile phone service and CREDO Energy. The group, originally launched in 1985 under the Working Assets Long Distance brand, had been integrally involved in many progressive campaigns, including preserving net neutrality, and has been a strong supporter of the progressive wing of the Democratic Party.

No explanation was given on the CREDO Action website, beyond thanking supporters and linking to a video reviewing the group’s major accomplishments in 2019. Many progressives were shocked by the surprising announcement, which came this afternoon without warning.

Holy cow, I cannot believe it: @CREDOMobile shut down CREDO Action. A terrible day for progressive activism. https://t.co/iSCLwbyU3d

— Lauren Miller (@laurenm) January 7, 2020

The decision is likely to cause the loss of jobs for at least a dozen of CREDO Action’s leadership and campaign staffers, who managed the group’s outreach and calls to action.

Sad but true: CREDO Action shut down today.

We put together a document with info about some of the brilliant & talented folks who are now out of a job at no fault of their own: https://t.co/4faUB8rj0q

Below I’ll share the email we’re sending to the CREDO email list today. https://t.co/jP2q04a2ZH

— Josh Nelson (@josh_nelson) January 7, 2020

honestly, still processing this news.

CREDO Action has been a critical part of the progressive infrastructure for years, and I’ve been honored to work alongside many of them. they’re colleagues, fellow campaigners, and friends.

this is a tough loss, and i want to know more. https://t.co/AYTz2kMlNz

— John Lee Brougher (@johnbrougher) January 7, 2020

More than 121,000 homes and businesses in 17 states will receive subsidized satellite internet service from Viasat, after the Federal Communications Commission awarded $87.1 million to connect customers at those locations at a cost of just over $715 per customer.

The money is part of the ongoing Connect America Fund (CAF) program, designed to subsidize the costs of delivering internet access in high-cost, typically rural areas. The current iteration of the program is dispensing funding over 10 years to 45 states. Viasat won the funding through an auction procedure that makes it easy for satellite providers to win funding because of low infrastructure costs to service rural areas that lack a wired internet service provider.

An additional $2.1 million was awarded to some other providers:

• Fixed wireless provider LTD Broadband, which relies on 1,500 wireless internet tower sites covering over 40,000 square miles of Iowa, Minnesota, Nebraska and South Dakota.
• Horry Telephone Cooperative, which serves rural customers in Horry County, S.C.
• Bruce Telephone Company, which won funding for parts of Wisconsin to deliver gigabit internet service.
• JCWIFI, which provides fixed wireless internet within a 3,000 square mile service area covering parts of Illinois, Iowa and Wisconsin.

In addition to the upper Midwest and South Carolina, the biggest states expected to benefit from the latest awards are (northern) California and Wyoming.

At least $2 billion in subsidy funds became available after larger providers — AT&T, CenturyLink and Verizon turned down funding because the companies had no interest in building out their networks in rural service areas.

AT&T was unhappy with the low internet speed score the FCC was about to give the telecom giant, so it made a few phone calls and got the government regulator to effectively rig the results in its favor.

“Regulatory capture” is a term becoming more common in administrations that enable regulators that favor friendly relations with large companies over consumer protection, and under the Trump Administration, a very business-friendly FCC has demonstrated it is prepared to go the distance for some of the country’s largest telecom companies.

Today, the Wall Street Journal reported AT&T successfully got the FCC to omit DSL speed test results from the agency’s annual “Measuring Broadband America” report. Introduced during the Obama Administration, the internet speed analysis was designed to test whether cable and phone companies are being honest about delivering the broadband speed they advertise. Using a small army of test volunteers that host a free speed testing router in their home (full disclosure: Stop the Cap! is a volunteer host), automated testing of broadband performance is done silently by the equipment on an ongoing basis, with results sent to SamKnows, an independent company contracted to manage the data for the FCC’s project.

In 2011, the first full year of the program, results identified an early offender — Cablevision/Optimum, which advertised speed it couldn’t deliver to many of its customers because its network was oversold and congested. Within months, the company invested millions to dramatically expand internet capacity and speeds quickly rose, sometimes beyond the advertised level. In general, fiber and cable internet providers traditionally deliver the fastest and most reliable internet speed. Phone companies selling DSL service usually lag far behind in the results. One of those providers happened to be AT&T.

In the last year, the Journal reports AT&T successfully appealed to the FCC to keep its DSL service’s speed performance out of the report and withheld important information from the FCC required to validate some of the agency’s results.

The newspaper also found multiple potential conflicts of interest in both the program and SamKnows, its contracted partner:

• Providers get the full names of customers using speed test equipment, and some (notably Cablevision/Optimum) regularly give speed test customers white glove treatment, including prioritized service, performance upgrades and extremely fast response times during outages that could affect the provider’s speed test score. Jack Burton, a former Cablevision engineer said “there was an effort to make sure known [users] had up-to-date equipment” like modems and routers. Cablevision also marked as “high priority” the neighborhoods that contained speed-testing users, ensuring that those neighborhoods got upgraded ahead of others, said other former Cablevision engineers close to the effort.
• Providers can tinker with the raw data, including the right to exclude results from speed test volunteers subscribed to an “unpopular” speed tier (usually above 100 Mbps), those using outdated or troublesome equipment, or are signed up to an “obsolete” speed plan, like low-speed internet. Over 25% of speed test results (presumably unfavorable to the provider) were not included in the last annual report because cable and phone companies objected to their inclusion.
• SamKnows sells providers immediate access to speed test data and the other data volunteers measure for a fee, ostensibly to allow providers to identify problems on their networks before they end up published in the FCC’s report. Critics claim this gives providers an incentive to give preferential treatment to customers with speed testing equipment.

Some have claimed internet companies have gained almost total leverage over the FCC speed testing project.

The Journal:

Internet experts and former FCC officials said the setup gives the internet companies enormous leverage. “How can you go to the party who controls the information and say, ‘please give me information that may implicate you?’ ” said Tom Wheeler, a former FCC chairman who stepped down in January 2017. Jim Warner, a retired network engineer who has helped advise the agency on the test for years, told the FCC in 2015 that the rules for providers were too lax. “It’s not much of a code of conduct,” Mr. Warner said.

An FCC spokesman told the Journal the program has a transparent process and that the agency will continue to enable it “to improve, evolve, and provide meaningful results as we move forward.”

The stakes of the FCC’s speed tests are enormous for providers, now more reliant than ever on the highly profitable broadband segment of their businesses. They also allow providers to weaponize  favorable performance results to fight off consumer protection efforts that attempt to hold providers accountable for selling internet speeds undelivered. In some high stakes court cases, the FCC’s speed test reports have been used to defend providers, such as the lawsuit filed by New York’s Attorney General against Charter Communications over the poor performance of Time Warner Cable. The parties eventually settled that case.

In 2018, the key takeaway from the report celebrated by providers in testimony, marketing, and lobbying, was that “for most of the major broadband providers that were tested, measured download speeds were 100% or better of advertised speeds during the peak hours.”

Comcast often refers to the FCC’s results in claims about XFINITY internet service: “Recent testing performed by the FCC confirms that Comcast’s broadband internet access service is one of the fastest, most reliable broadband services in the United States.” But in 2018, Comcast also successfully petitioned to FCC to exclude speed test results from 214 of its testing customers, the highest number surveyed among individual providers. In contrast, Charter got the FCC to ignore results from 148 of its customers, Mediacom asked the FCC to ignore results from 46 of its internet customers.

Among the most remarkable findings uncovered by the Journal was the revelation AT&T successfully got the FCC to exclude all of its DSL customers’ speed test results, claiming that it would not be proper to include data for a service no longer being marketed to customers. AT&T deems its DSL service “obsolete” and no longer worthy of being covered by the FCC. But the company still actively markets DSL to prospective customers. This year, AT&T also announced it was no longer cooperating with SamKnows and its speed test project, claiming AT&T has devised a far more accurate speed testing project itself that it intends to use to self-report customer speed testing data.

Cox also managed to find an innovative way out of its poor score for internet speed consistency, which the FCC initially rated a rock bottom 37% of what Cox advertises. Cox claimed its speed test results were faulty because SamKnows’ tests sent traffic through an overcongested internet link yet to be upgraded. That ‘unfairly lowered Cox’s ratings’ for many of its Arizona customers, the company successfully argued, and the FCC put Cox’s poor speed consistency rating in a fine print footnote, which included both the 37% rating and a predicted/estimated reliability rating of 85%, assuming Cox properly routed its internet traffic.

The FCC report also downplays or doesn’t include data about internet slowdowns on specific websites, like Netflix or YouTube. Complaints about buffering on both popular streaming sites have been regularly cited by angry customers, but the FCC’s annual report signals there is literally nothing wrong with most providers.

Providers still fear their own network slowdowns or problems during known testing periods. The Journal reports many have a solution for that problem as well — temporarily boosting speeds and targeting better performance of popular websites and services during testing periods and returning service to normal after tests are finished.

James Cannon, a longtime cable and telecom engineering executive who left Charter in February admitted that is standard practice at Spectrum.

“I know that goes on,” he told the Journal. “If they have a scheduled test with a government agency, they will be very careful about how that traffic is routed on the network.”

As a result, the FCC’s “independent” annual speed test report is now compromised by large telecom companies, admits Maurice Dean, a telecom and media consultant with 22 years’ experience working on streaming, cable and telecom projects.

“It is problematic,” Dean said. “This attempt to ‘enhance’ performance for these measurements is a well-known practice in the industry,’ and makes the FCC results “almost meaningless for describing actual user experience.”

Tim Wu, a longtime internet advocate, likened the speed test program as more theoretical than actual, suggesting it was like measuring the speed of a car after getting rid of traffic.