Malware found pre-installed in cheap push-button mobile phones sold in Russia

Security researcher ValdikSS found malware preinstalled in four low-budget push-button mobile phones available for sale on Russian e-stores.

A Russian security researcher that goes online with the name of ValdikSS has found malware preinstalled in four low-budget push-button mobile phones available for sale on Russian e-stores

The expert noticed that several push-button telephones contain unwanted undocumented functions such as automatically sending SMS messages or going online to transmit purchase data or phone info (IMEI and SIM-cards IMSI). The researcher spotted a built-in Trojan that sends paid SMS messages to short numbers in some models, other devices contained a backdoor that sends incoming SMS messages to the attackers’ server. All the remote servers contacted by the devices were located in China,

The tainted push-button devices are DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3.

The researchers analyzed the firmware and set up a 2G base station in order to intercept and analyze the devices’ communications.

The expert analyzed 5 models and only one of them, the Inoi 101 was clean. Below is the list of the tested devices and the behavior they were exhibiting.

• Inoi 101 – Clean.
• Itel it2160 – The device was spotted transferring some info to the domain asv.transsion.com (Country, Model, Firmware version, Language. Activation time, Base station ID (LAC / TAC)). The researcher found on the server a panel containing information about the devices sold.
• F+ Flip 3 – The device reports “the fact of sale” via SMS to the number +79584971255 , sending IMEI and IMSI in the body of the message.
• DEXP SD2810 – The expert pointed out that even if the device does not contain a browser, it connects to GPRS. It sends info about the sal, IMEI, IMSI, and is able to make calls CnC on the Internet and executes its commands. It was also spotted sending paid SMS to short numbers with text received from the server.
• SF63 – This device does not contain a browser but connects online via GPRS to notify a remote server about the device’s activation. It sends to the remote server the phone’s phone number and registers accounts online (i.e., Telegram). The device also retrieves and executes commands from a remote server (hwwap.well2266.com).

What to do?

The researcher provides the following recommendations in his report:

• Buy only trusted global brands: Nokia phones do not contain malicious functionality, but they also cost 2-4 times more than their “domestic” counterparts;
• Read reviews before buying: it is better to buy a proven model, which has been on the market for a long time, with an impeccable reputation, than to take risks with new products;
• Track the behavior of a new phone after purchase within a day, according to the operator’s details;
• Write to Rospotrebnadzor, FSB (?) And the manufacturer if you find any incomprehensible activity.

At the time of this writing is still unclear if the malware was implanted by the vendor or by a threat actor as part of a supply chain attack. The experts highlighted the lack of a proper security audit for such kinds of devices that are quite common in Russia. Unfortunately, over the years the researchers have found several malware pre-installed in low-price devices.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]