[TheRecord] Malware found preinstalled in classic push-button phones sold in Russia

A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.

In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810Itel it2160Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.

ValdikSS, who set up a local 2G base station in order to intercept the phones’ communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser.

ValdikSS said he tested five old school phones he bought online. A fifth phone, the Inoi 101, was also tested, but the devices did not exhibit any malicious behavior.

Phone modelMalicious behaviorInoi 101None.DEXP SD2810– Does not contain an internet browser but connects online via GPRS behind the user’s back and sends data to a remote server, including phone IMEI and IMSI codes.
– Sends SMS messages to premium numbers by retrieving the SMS number and SMS text from a remote server. Also intercepts SMS confirmation messages and replies on behalf of the user.
– Online complaints confirm this behavior.Itel it2160A “sale” function notifies a remote server ( http://asv.transsion[.]com:8080/openinfo/open/index) when the phone is activated, sending over information such as IMEI code, country, model, firmware version, language, activation time, and mobile base station ID.Irbis SF63– Does not contain an internet browser but connects online via GPRS to notify a remote server about the phone’s sale/activation.
– Takes the phone’s phone number and registers accounts online (i.e., Telegram, per different reports).
– Retrieves and executes commands from a remote server ( hwwap.well2266.com).F+ Flip 3– The phone sends an SMS with the phone IMEI and IMSI codes to phone numbers hardcoded in the firmware.
– Several other users have also spotted this SMS and complained about it online.
– ValdikSS said they notified the vendor, which eventually ignored his report.

All the remote servers that received this activity were located in China, ValdikSS said, where all the devices were also manufactured before being re-sold on Russian online stores as low-budget alternatives to more popular push-button phone offerings, such as those from Nokia.

While the malicious behavior was found in the phone’s firmware, the researcher couldn’t say if the code was added by the vendor or by third parties that supplied the firmware or handled the phones during shipping.

Mobile phone supply chains, backdoors, and malware

Such incidents, while quite brazen, are not so rare anymore, and similar cases have been discovered on numerous occasions over the past five years.

November 2016 – reports from Kryptowire and Anubis Networks found that two Chinese companies that were making firmware components for larger Chinese phone makers were secretly embedding a backdoor-like functionality in their code.December 2016 – Dr.Web found malware embedded in the firmware of 26 Android smartphone models.July 2017 – Dr.Web found versions of the Triada banking trojan hidden in the firmware of several Android smartphones.March 2018 – Dr.Web found the same Triada trojan embedded in the firmware of 42 other Android smartphone models.May 2018 – Avast researchers found the Cosiloon backdoor trojan in the firmware of 141 Android smartphones.January 2019 – Upstream Systems found malware inside an app pre-installed on Alcatel smartphones.June 2019 – BSI, the German cyber-security agency, found a backdoor in two low-budget Android phones, sold to more than 20,000 users.January 2020 – Malwarebytes said it found malware pre-installed on Unimax U673c handsets, sold by Assurance Wireless (Virgin Mobile) in the US.

ValdikSS blamed the recent incidents inside Russia on the local operators and vendors who re-sold the phones without any prior security audit. The researcher also decried the fact that there isn’t any Russian telecommunications security agency where these reports could be forwarded.

The post Malware found preinstalled in classic push-button phones sold in Russia appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Microsoft Exposes Iran-linked APT Targeting U.S., Israeli Defense Tech Sectors

All posts, Security Week

Threat hunters at Microsoft are raising the alarm about a new Iran-linked threat actor caught using password-spraying techniques to break into defense technology companies in the United States, Israel and parts of the Middle East. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] Windows 11 update improves taskbar, Microsoft Store and more

Microsoft has released a new build 22000.100 to Windows 11 Insiders in the Dev channel of the Windows Insider program. […] Source: Read More (BleepingComputer)

Read More

[HackerNews] Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic

All posts, HackerNews

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks. “We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google,” researchers Shir Tamari Source: […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.