https://therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/ * [matomo] [ ] [go] [PrimaryLog] * Leadership * Cybercrime * Nation-state * Government * People * Technology * About * Contact * [ ] [go] Subscribe to our newsletter [ ] [go] Subscribe Malware found preinstalled in classic push-button phones sold in Russia Image: ValdikSS Catalin Cimpanu September 5, 2021 Malware found preinstalled in classic push-button phones sold in Russia News Technology * * * * * Catalin Cimpanu September 5, 2021 * News * Technology * * * * * Malware found preinstalled in classic push-button phones sold in Russia A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores. In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection. ValdikSS, who set up a local 2G base station in order to intercept the phones' communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser. ValdikSS said he tested five old school phones he bought online. A fifth phone, the Inoi 101, was also tested, but the devices did not exhibit any malicious behavior. Phone Malicious behavior model Inoi None. 101 - Does not contain an internet browser but connects online via GPRS behind the user's back and sends data to a remote server, DEXP including phone IMEI and IMSI codes. SD2810 - Sends SMS messages to premium numbers by retrieving the SMS number and SMS text from a remote server. Also intercepts SMS confirmation messages and replies on behalf of the user. - Online complaints confirm this behavior. A "sale" function notifies a remote server ( http:// Itel asv.transsion[.]com:8080/openinfo/open/index) when the phone it2160 is activated, sending over information such as IMEI code, country, model, firmware version, language, activation time, and mobile base station ID. - Does not contain an internet browser but connects online via GPRS to notify a remote server about the phone's sale/ Irbis activation. SF63 - Takes the phone's phone number and registers accounts online (i.e., Telegram, per different reports). - Retrieves and executes commands from a remote server ( hwwap.well2266.com). - The phone sends an SMS with the phone IMEI and IMSI codes to phone numbers hardcoded in the firmware. F+ - Several other users have also spotted this SMS and Flip 3 complained about it online. - ValdikSS said they notified the vendor, which eventually ignored his report. All the remote servers that received this activity were located in China, ValdikSS said, where all the devices were also manufactured before being re-sold on Russian online stores as low-budget alternatives to more popular push-button phone offerings, such as those from Nokia. While the malicious behavior was found in the phone's firmware, the researcher couldn't say if the code was added by the vendor or by third parties that supplied the firmware or handled the phones during shipping. Mobile phone supply chains, backdoors, and malware Such incidents, while quite brazen, are not so rare anymore, and similar cases have been discovered on numerous occasions over the past five years. * November 2016 - reports from Kryptowire and Anubis Networks found that two Chinese companies that were making firmware components for larger Chinese phone makers were secretly embedding a backdoor-like functionality in their code. * December 2016 - Dr.Web found malware embedded in the firmware of 26 Android smartphone models. * July 2017 - Dr.Web found versions of the Triada banking trojan hidden in the firmware of several Android smartphones. * March 2018 - Dr.Web found the same Triada trojan embedded in the firmware of 42 other Android smartphone models. * May 2018 - Avast researchers found the Cosiloon backdoor trojan in the firmware of 141 Android smartphones. * January 2019 - Upstream Systems found malware inside an app pre-installed on Alcatel smartphones. * June 2019 - BSI, the German cyber-security agency, found a backdoor in two low-budget Android phones, sold to more than 20,000 users. * January 2020 - Malwarebytes said it found malware pre-installed on Unimax U673c handsets, sold by Assurance Wireless (Virgin Mobile) in the US. ValdikSS blamed the recent incidents inside Russia on the local operators and vendors who re-sold the phones without any prior security audit. The researcher also decried the fact that there isn't any Russian telecommunications security agency where these reports could be forwarded. * * * * * Tags * backdoor * China * firmware * malware * mobile device * preinstalled * push-button phone * Russia Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers. Previous article Next article Malware found preinstalled in classic push-button phones sold in Russia More than 10% of Firebase databases are open and exposing data Briefs * More than 10% of Firebase databases are open and exposing data September 3, 2021 * FBI: Americans lost more than $8 million to sextortion scams this year September 2, 2021 * White House double downs on warning about cyberattacks over the holidays September 2, 2021 * WhatsApp hit with giant EUR225 million (~$267M) million GDPR fine September 2, 2021 * Google pauses quantum security feature in Chrome because of buggy middleware September 1, 2021 * Fired credit union worker pleads guilty after accessing and deleting thousands of files September 1, 2021 * Confluence enterprise servers targeted with recent vulnerability September 1, 2021 * CISA adds single-factor authentication to its catalog of 'Bad Practices' August 30, 2021 * Bangkok Air confirms passenger PII leak after ransomware attack August 30, 2021 * Internet access in South Sudan disrupted ahead of planned protests August 30, 2021 * House defense policy bill okays $10.4 billion for DoD cybersecurity August 30, 2021 * ProxyToken vulnerability can modify Exchange server configs August 30, 2021 [PrimaryLog] * * * * * Contact * About Us * Privacy Policy (c) Copyright 2021 | The Record by Recorded Future