Russian security researchers has found pre installed malware in four low – budget mobile phones available for sale in Russian e- mail stores with the name of ValdikSS .Push button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection.All the remote servers contacted by the devices were located in China.
“A considerable number of simple push-button phones present in Russian stores contain unwanted undocumented functions. They can automatically send SMS messages or go online to transfer the fact of purchase and use of the phone (transferring the phone’s IMEI and SIM-cards IMSI). There are models with a built-in Trojan that sends paid SMS messages to short numbers, the text of which is downloaded from the server; there are also devices with a real backdoor that sends incoming SMS messages to the attackers server.” reads the blogpost.
In order to intercept communications on the phones, the ValdikSS, who set up a 2G-base local station, also secretly notified a remote Internet server, even if phones had no internet browser, when it was first enabled. He tested five old school phones that ValdikSS had purchased online. A fifth telephone, Inoi 101, has been tested but no malicious actions has been noted.
|Phone model||Malicious behavior|
|DEXP SD2810||– Does not contain an internet browser but connects through GPRS behind the user’s back and sends data to a remote server, including phone IMEI and IMSI codes.|
– Sends SMS messages to premium numbers by retrieving the SMS number and SMS text from a remote server.
|Itel it2160||A “sale” function notifies a remote server ( http://asv.transsion.com)when the phone is activated, sending over information such as IMEI code, country, model, firmware version, language, activation time, and mobile base station ID.|
|Irbis SF63||– Does not contain an internet browser but connects through GPRS to notify a remote server about the phone’s sale/activation.|
– Takes the phone’s phone number and registers accounts online (i.e., Telegram, per different reports).
– Retrieves and executes commands from a remote server ( hwwap.well2266.com).
|F+ Flip 3||– The phone sends an SMS with the phone IMEI and IMSI codes to phone numbers hardcoded in the firmware|
ValdikSS said that before it was sold back in Russia’s online stores all devices were manufactured to offer low-budget solutions to more popular phone services, like Nokia. When the malware behavior was identified in the telephone software,the researchers could not tell whether the code was being added by the seller or third parties who provided the software update during transport.
Researcher suggested to follow below listed recommendations:
- Buy only trusted global brands: Nokia phones do not contain malicious functionality, but they also cost 2-4 times more than their “domestic” counterparts;
- Read reviews before buying: it is better to buy a proven model, which has been on the market for a long time, with an impeccable reputation, than to take risks with new products;
- Track the behavior of a new phone after purchase within a day, according to the operator’s details;
- Write to Rospotrebnadzor, FSB (?) And the manufacturer if you find any incomprehensible activity.