AT&T says malware secretly unlocked hundreds of thousands of phones

The audacious scheme was carried out with help from AT&T employees, it alleged in court documents.

AT&T logo on Boston store

The AT&T logo seen on the door of the company's Boston store on Sept. 18, 2015.

Credit: Nick Barber

AT&T said three of its employees secretly installed software on its network so a cellphone unlocking service could surreptitiously funnel hundreds of thousands of requests to its servers to remove software locks on phones.

The locks prevent phones from being used on competing networks and have been an important tool used by cellular carriers to prevent customers from jumping ship. They can be electronically removed, usually after fulfilling a contract obligation, but many websites offer the same service for a small fee with no questions asked.

AT&T's allegations are made in a filing with U.S. District Court for the Western District of Washington in which it accuses two companies, four people and an unknown software developer or developers, of participating in the audacious scheme. AT&T filed its lawsuit on Sept. 11 but it was first reported by Geekwire on Friday.

The carrier first discovered something was amiss in September 2013 when a surge in the number of unlock requests alerted the company to the possible abuse of "Torch," the software used to unlock cellphones, it said in the complaint.

Upon investigation, the company discovered that the logins and passwords of two employees at a center in Washington were responsible for a large number of the requests and those requests happened within milliseconds of each other.

Both employees, Kyra Evans and Marc Sapatin, are named in the lawsuit.

On the computers of Evans and Sapatin, investigators found unauthorized software intended to route unlocking requests from an external source through AT&T's computer system, it said. AT&T says its investigators uncovered numerous iterations of the software, which grew in complexity until it was eventually able to submit the automatic requests.

Investigators later found the software on a computer of a third employee, Nguyen Lam, according to AT&T. All three are no longer working at AT&T.

AT&T says a California-based company called Swift Unlocks and its proprietor, Prashant Vira, were involved in the scheme and paid Evans and Sapatin at least US$20,000 and $10,500 respectively to install the software. But, AT&T concedes that it doesn't know the full extent of Swift Unlocks' involvement.

Swift Unlocks operates a website where people can pay to have the software lock removed from their phones. Charges vary by phone but AT&T users will generally pay $20 or less for the unlocking service.

In all, AT&T says "hundreds of thousands" of phones were unlocked as a result of the scheme. Its charges include computer fraud, breach of loyalty and civil conspiracy and the carrier has asked the court to hear the case in front of a jury.

The defendants could not immediately be reached for comment and are yet to file a reply to the allegations with the court.