Malware found preinstalled in classic push-button phones sold in Russia
Image: ValdikSS
Catalin Cimpanu September 5, 2021

Malware found preinstalled in classic push-button phones sold in Russia

Catalin Cimpanu

September 5, 2021

Malware found preinstalled in classic push-button phones sold in Russia

A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores.

In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810Itel it2160Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.

ValdikSS, who set up a local 2G base station in order to intercept the phones’ communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser.

ValdikSS said he tested five old school phones he bought online. A fifth phone, the Inoi 101, was also tested, but the devices did not exhibit any malicious behavior.

Phone modelMalicious behavior
Inoi 101None.
DEXP SD2810– Does not contain an internet browser but connects online via GPRS behind the user’s back and sends data to a remote server, including phone IMEI and IMSI codes.
– Sends SMS messages to premium numbers by retrieving the SMS number and SMS text from a remote server. Also intercepts SMS confirmation messages and replies on behalf of the user.
– Online complaints confirm this behavior.
Itel it2160A “sale” function notifies a remote server ( http://asv.transsion[.]com:8080/openinfo/open/index) when the phone is activated, sending over information such as IMEI code, country, model, firmware version, language, activation time, and mobile base station ID.
Irbis SF63– Does not contain an internet browser but connects online via GPRS to notify a remote server about the phone’s sale/activation.
– Takes the phone’s phone number and registers accounts online (i.e., Telegram, per different reports).
– Retrieves and executes commands from a remote server ( hwwap.well2266.com).
F+ Flip 3– The phone sends an SMS with the phone IMEI and IMSI codes to phone numbers hardcoded in the firmware.
– Several other users have also spotted this SMS and complained about it online.
– ValdikSS said they notified the vendor, which eventually ignored his report.

All the remote servers that received this activity were located in China, ValdikSS said, where all the devices were also manufactured before being re-sold on Russian online stores as low-budget alternatives to more popular push-button phone offerings, such as those from Nokia.

While the malicious behavior was found in the phone’s firmware, the researcher couldn’t say if the code was added by the vendor or by third parties that supplied the firmware or handled the phones during shipping.

Mobile phone supply chains, backdoors, and malware

Such incidents, while quite brazen, are not so rare anymore, and similar cases have been discovered on numerous occasions over the past five years.

ValdikSS blamed the recent incidents inside Russia on the local operators and vendors who re-sold the phones without any prior security audit. The researcher also decried the fact that there isn’t any Russian telecommunications security agency where these reports could be forwarded.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.