Malware found preinstalled in classic push-button phones sold in Russia
A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.
In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.
ValdikSS, who set up a local 2G base station in order to intercept the phones' communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser.
ValdikSS said he tested five old school phones he bought online. A fifth phone, the Inoi 101, was also tested, but the devices did not exhibit any malicious behavior.
|Phone model||Malicious behavior|
|DEXP SD2810||- Does not contain an internet browser but connects online via GPRS behind the user's back and sends data to a remote server, including phone IMEI and IMSI codes.|
- Sends SMS messages to premium numbers by retrieving the SMS number and SMS text from a remote server. Also intercepts SMS confirmation messages and replies on behalf of the user.
- Online complaints confirm this behavior.
|Itel it2160||A "sale" function notifies a remote server ( http://asv.transsion[.]com:8080/openinfo/open/index) when the phone is activated, sending over information such as IMEI code, country, model, firmware version, language, activation time, and mobile base station ID.|
|Irbis SF63||- Does not contain an internet browser but connects online via GPRS to notify a remote server about the phone's sale/activation.|
- Takes the phone's phone number and registers accounts online (i.e., Telegram, per different reports).
- Retrieves and executes commands from a remote server ( hwwap.well2266.com).
|F+ Flip 3||- The phone sends an SMS with the phone IMEI and IMSI codes to phone numbers hardcoded in the firmware.|
- Several other users have also spotted this SMS and complained about it online.
- ValdikSS said they notified the vendor, which eventually ignored his report.
All the remote servers that received this activity were located in China, ValdikSS said, where all the devices were also manufactured before being re-sold on Russian online stores as low-budget alternatives to more popular push-button phone offerings, such as those from Nokia.
While the malicious behavior was found in the phone's firmware, the researcher couldn't say if the code was added by the vendor or by third parties that supplied the firmware or handled the phones during shipping.
Mobile phone supply chains, backdoors, and malware
Such incidents, while quite brazen, are not so rare anymore, and similar cases have been discovered on numerous occasions over the past five years.
- November 2016 - reports from Kryptowire and Anubis Networks found that two Chinese companies that were making firmware components for larger Chinese phone makers were secretly embedding a backdoor-like functionality in their code.
- December 2016 - Dr.Web found malware embedded in the firmware of 26 Android smartphone models.
- July 2017 - Dr.Web found versions of the Triada banking trojan hidden in the firmware of several Android smartphones.
- March 2018 - Dr.Web found the same Triada trojan embedded in the firmware of 42 other Android smartphone models.
- May 2018 - Avast researchers found the Cosiloon backdoor trojan in the firmware of 141 Android smartphones.
- January 2019 - Upstream Systems found malware inside an app pre-installed on Alcatel smartphones.
- June 2019 - BSI, the German cyber-security agency, found a backdoor in two low-budget Android phones, sold to more than 20,000 users.
- January 2020 - Malwarebytes said it found malware pre-installed on Unimax U673c handsets, sold by Assurance Wireless (Virgin Mobile) in the US.
ValdikSS blamed the recent incidents inside Russia on the local operators and vendors who re-sold the phones without any prior security audit. The researcher also decried the fact that there isn't any Russian telecommunications security agency where these reports could be forwarded.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.