Malware found to be installed on multiple feature phones by default
A survey of 'Can feature phones sold at low prices send and receive SMS without problems?' Reveals that malware was installed on multiple feature phones and sent information to the outside of the terminal. I did.
Трояны и бэкдоры в кнопочных мобильных телефонах российской розницы / Хабр
Malware found preinstalled in classic push-button phones sold in Russia --The Record by Recorded Future
https://therecord.media/malware-found-preinstalled-in-classic-push-button-phones-sold-in-russia/
This was reported by Valdik SS, a user of the IT forum Хабр.
ValdikSS conducted a survey on cheap feature phones sold in Russian mobile phone stores. The terminals surveyed were RDA Microelectronics under the umbrella of Tsinghua Unigroup, a Chinese semiconductor maker, which is one of the three major chip makers for feature phones, Spreadtrum under the Tsinghua Unigroup, and Spreadtrum. Five models equipped with one of the chips of Taiwanese semiconductor maker Mediatek.
During the investigation, Valdik SS noticed that some terminals behave suspiciously 'maliciously'. The malicious behaviors that have been confirmed can be broadly divided into 'attempting to send the IMEI number of a mobile phone and the IMSI number of a SIM card to an unidentified organization or individual' and 'connecting to the net in the background for a paid number'. It was said that there were three things: sending an SMS (stealing money from the mobile phone number account) and 'intercepting the received SMS at the back door and sending it to the server'.
The contents of the terminal and operation investigated by ValdikSS are as follows.
| Terminal name | SoC | price | Malicious behavior |
|---|---|---|---|
| INOI 101 | RDA8826 / SC6533 | 600₽ (about 904 yen) | none |
| DEXP SD2810 | SC6531E | 699₽ (about 918 yen) | -Send IMEI number or IMSI number via GPRS-Receive SMS number and message from remote server and send to specific number-Intercept SMS and reply on behalf of user |
| Itel it2160 | MT6261 | 799₽ (about 1204 yen) | -Send IMEI number, country, model, firmware version, etc. to the remote server |
| Irbis ТЕЛЕФОН SF63 | SC6531DA | 750₽ (about 1131 yen) | ・ Send phone activation information to a remote server via GPRS ・ Get a phone number and register an account online ・ Get a command from a remote server and execute it |
| F + Flip 3 | SC6531DA | 1499₽ (approx. 2259 yen) | -Send SMS including IMEI number and IMSI number to the phone number hard-coded in the firmware |
All remote servers were located in China.
The malicious behavior was due to the firmware, but someone added the code to the shipped phone, whether it was added by the vendor or by the third party who provided the firmware. It is unknown whether it is.
Related Posts:
