A Russian security researcher that goes online with the name of ValdikSS has found malware preinstalled in four low-budget push-button mobile phones available for sale on Russian e-stores
The expert noticed that several push-button telephones contain unwanted undocumented functions such as automatically sending SMS messages or going online to transmit purchase data or phone info (IMEI and SIM-cards IMSI). The researcher spotted a built-in Trojan that sends paid SMS messages to short numbers in some models, other devices contained a backdoor that sends incoming SMS messages to the attackers’ server. All the remote servers contacted by the devices were located in China,
The tainted push-button devices are DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3.
The researchers analyzed the firmware and set up a 2G base station in order to intercept and analyze the devices’ communications.
The expert analyzed 5 models and only one of them, the Inoi 101 was clean. Below is the list of the tested devices and the behavior they were exhibiting.
What to do?
The researcher provides the following recommendations in his report:
At the time of this writing is still unclear if the malware was implanted by the vendor or by a threat actor as part of a supply chain attack. The experts highlighted the lack of a proper security audit for such kinds of devices that are quite common in Russia. Unfortunately, over the years the researchers have found several malware pre-installed in low-price devices.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.