Expert Reaction On Pre-Installed, Unremoveable Malware Found On US Government-funded Phones

In response to reports that a US–funded mobile carrier that offers phones via the Lifeline Assistance program is selling mobile devices pre-installed with malicious applications, cybersecurity expert offers perspective.

Experts Comments

January 10, 2020
Erich Kron
Security Awareness Advocate
KnowBe4
Whether Assurance was aware of the malware when procuring the phones or not, this certainly illustrates the increasing concerns around supply chain management and the complexity behind it. Quite often manufacturers do not write all of the software needed to run the devices, but instead license software from other providers or the manufacturers of the chips themselves. This makes ensuring all of the code is secure and trustworthy a difficult task and is not just related to lower tier providers......Read More
Whether Assurance was aware of the malware when procuring the phones or not, this certainly illustrates the increasing concerns around supply chain management and the complexity behind it. Quite often manufacturers do not write all of the software needed to run the devices, but instead license software from other providers or the manufacturers of the chips themselves. This makes ensuring all of the code is secure and trustworthy a difficult task and is not just related to lower tier providers. A similar issue was recently reported with Samsung phones which uses software even on their top-tier phones such as the S10+, from a company with a questionable reputation called Qihoo 360, and cannot be uninstalled. In the hypercompetitive world of cellular phones and electronic devices, the struggle to create the most inexpensive phones with the strongest feature set results in less security testing and will likely result in similar events in the future. The surprising and unfortunate thing here is the response to Malwarebytes when presented with the findings. While it seems easy to ignore these sorts of reports in the hope that it will go away quickly, the unfortunate truth is that a poor response to an incident such as this can leave long lasting marks on an organization's reputation. We continue to see that people are far more likely to forgive an issue if the organization is truthful, sincere and transparent in their response.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.