Many push-button phones on sale in Russia contain backdoors or trojans, a security researcher claims.
According to Russian researcher ‘ValdikSS’, some cellphones are automatically sending SMS messages or transmitting online the fact that the device has been purchased and used, among other issues.
Get the message
As outlined in a technical blog post (Russian language), some models were found to contain a built-in trojan that sends paid SMS messages to short numbers, transmitting text that is downloaded from the server. Others were said to have a backdoor that forwards incoming SMS messages to an unknown server.
ValdikSS says he discovered the issue while considering swapping the USB modems he used to receive SMS messages for phones, as these were cheaper and are capable of taking up to four SIM cards each.
“The research begun due to unexpected behavior of the phone – it sent SMS by itself,” he tells The Daily Swig.
Of the five Russian push-button phones tested, only one was said to be ‘clean’
He then tested a number of push-button models, including the Inoi 101, DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3.
And, he found, some of the phones were not only transmitting IMEI and IMSI numbers for the purposes of tracking sales, but also contained a trojan that sends SMS messages to paid short numbers, after downloading the text and number from a server via the internet.
Finally, a backdoor was found that intercepts incoming SMS messages and forwards them to the server, potentially allowing an attacker to use the phone’s number to register for services that require confirmation via SMS.
“I was very confused when [a] DEXP SD2160 phone tried to send premium SMS to the number and with the body loaded from its server on the internet,” he says.
“The device, initially manufactured in 2019, was being sold by one of the largest electronic stores in June 2021, with lots of negative reviews in the same store’s website, and they didn’t recall it from sales.
“I’ve watched it to do all the nasty stuff in real time on my GSM cell tower.”
Mixed bag
The Inoi 101, the researcher says, was clean and didn’t perform any covert actions.
However, the Itel it2160 model – also available outside of Russia – broadcast its sale over the internet, without warning, as did the F+ Flip 3 phone.
The DEXP SD2810 did the same, while also accessing a command-and-control server on the internet and executing its commands, sending paid SMSs to short numbers with text received from the server.
And the Irbis SF63, says ValdikSS, is “a dangerous phone that uses your phone number for commercial purposes to register third parties with online services” like the DEXP, sending POST requests over HTTP, but also encrypting the transmitted data with its own algorithm with, apparently, a fixed key.
ValdikSS said he contacted the vendors, but with little response.
The Daily Swig has approached the manufacturers for comment, and will update this article as and when we hear back.