A Russian security researcher that goes online with the name of ValdikSS has found malware preinstalled in four low-budget push-button mobile phones available for sale on Russian e-stores
The expert noticed that several push-button telephones contain unwanted undocumented functions such as automatically sending SMS messages or going online to transmit purchase data or phone info (IMEI and SIM-cards IMSI). The researcher spotted a built-in Trojan that sends paid SMS messages to short numbers in some models, other devices contained a backdoor that sends incoming SMS messages to the attackers’ server. All the remote servers contacted by the devices were located in China,
The tainted push-button devices are DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3.
The researchers analyzed the firmware and set up a 2G base station in order to intercept and analyze the devices’ communications.
The expert analyzed 5 models and only one of them, the Inoi 101 was clean. Below is the list of the tested devices and the behavior they were exhibiting.
What to do?
The researcher provides the following recommendations in his report:
At the time of this writing is still unclear if the malware was implanted by the vendor or by a threat actor as part of a supply chain attack. The experts highlighted the lack of a proper security audit for such kinds of devices that are quite common in Russia. Unfortunately, over the years the researchers have found several malware pre-installed in low-price devices.
(SecurityAffairs – hacking, malware)