[TheRecord] Malware found preinstalled in classic push-button phones sold in Russia

A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.

In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810Itel it2160Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.

ValdikSS, who set up a local 2G base station in order to intercept the phones’ communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser.

ValdikSS said he tested five old school phones he bought online. A fifth phone, the Inoi 101, was also tested, but the devices did not exhibit any malicious behavior.

Phone modelMalicious behaviorInoi 101None.DEXP SD2810– Does not contain an internet browser but connects online via GPRS behind the user’s back and sends data to a remote server, including phone IMEI and IMSI codes.
– Sends SMS messages to premium numbers by retrieving the SMS number and SMS text from a remote server. Also intercepts SMS confirmation messages and replies on behalf of the user.
– Online complaints confirm this behavior.Itel it2160A “sale” function notifies a remote server ( http://asv.transsion[.]com:8080/openinfo/open/index) when the phone is activated, sending over information such as IMEI code, country, model, firmware version, language, activation time, and mobile base station ID.Irbis SF63– Does not contain an internet browser but connects online via GPRS to notify a remote server about the phone’s sale/activation.
– Takes the phone’s phone number and registers accounts online (i.e., Telegram, per different reports).
– Retrieves and executes commands from a remote server ( hwwap.well2266.com).F+ Flip 3– The phone sends an SMS with the phone IMEI and IMSI codes to phone numbers hardcoded in the firmware.
– Several other users have also spotted this SMS and complained about it online.
– ValdikSS said they notified the vendor, which eventually ignored his report.

All the remote servers that received this activity were located in China, ValdikSS said, where all the devices were also manufactured before being re-sold on Russian online stores as low-budget alternatives to more popular push-button phone offerings, such as those from Nokia.

While the malicious behavior was found in the phone’s firmware, the researcher couldn’t say if the code was added by the vendor or by third parties that supplied the firmware or handled the phones during shipping.

Mobile phone supply chains, backdoors, and malware

Such incidents, while quite brazen, are not so rare anymore, and similar cases have been discovered on numerous occasions over the past five years.

November 2016 – reports from Kryptowire and Anubis Networks found that two Chinese companies that were making firmware components for larger Chinese phone makers were secretly embedding a backdoor-like functionality in their code.December 2016 – Dr.Web found malware embedded in the firmware of 26 Android smartphone models.July 2017 – Dr.Web found versions of the Triada banking trojan hidden in the firmware of several Android smartphones.March 2018 – Dr.Web found the same Triada trojan embedded in the firmware of 42 other Android smartphone models.May 2018 – Avast researchers found the Cosiloon backdoor trojan in the firmware of 141 Android smartphones.January 2019 – Upstream Systems found malware inside an app pre-installed on Alcatel smartphones.June 2019 – BSI, the German cyber-security agency, found a backdoor in two low-budget Android phones, sold to more than 20,000 users.January 2020 – Malwarebytes said it found malware pre-installed on Unimax U673c handsets, sold by Assurance Wireless (Virgin Mobile) in the US.

ValdikSS blamed the recent incidents inside Russia on the local operators and vendors who re-sold the phones without any prior security audit. The researcher also decried the fact that there isn’t any Russian telecommunications security agency where these reports could be forwarded.

The post Malware found preinstalled in classic push-button phones sold in Russia appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] Arid Viper hackers strike Palestine with political lures – and Trojans

All posts, ZDNet

The threat group is suspected of being located in Gaza. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Abcbot — A New Evolving Wormable Botnet Malware Targeting Linux

All posts, HackerNews

Researchers from Qihoo 360’s Netlab security team have released details of a new evolving botnet called “Abcbot” that has been observed in the wild with worm-like propagation features to infect Linux systems and launch distributed denial-of-service (DDoS) attacks against targets. While the earliest version of the botnet dates back to July 2021, new variants observed […]

Read More

Daily NCSC-FI news followup 2021-08-20

ShadowPad Malware is Becoming a Favorite Choice of Chinese Espionage Groups thehackernews.com/2021/08/shadowpad-malware-is-becoming-favorite.html ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017. The American cybersecurity firm SentinelOne dubbed ShadowPad a “masterpiece of privately sold malware in […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.