Malware Found Preinstalled In Classic Push-button Phones Sold In Russia

"A security researcher has discovered malicious code inside the firmware of four low-budget push-button mobile phones sold through Russian online stores," reports the Record: In a report published this week by a Russian security researcher named ValdikSS, push-button phones such as DEXP SD2810, Itel it2160, Irbis SF63, and F+ Flip 3 were caught subscribing users to premium SMS services and intercepting incoming SMS messages to prevent detection. ValdikSS, who set up a local 2G base station in order to intercept the phones' communications, said the devices also secretly notified a remote internet server when they were activated for the first time, even if the phones had no internet browser...

All the remote servers that received this activity were located in China, ValdikSS said, where all the devices were also manufactured before being re-sold on Russian online stores as low-budget alternatives to more popular push-button phone offerings, such as those from Nokia.
But who's responsible, the article ultimately asks. The third party supplying the firmware? The parties shipping the phones? The vendors selling the phone without detecting its malware? Or the government agencies lacking a mechanism for collecting reports of malware...

Burner Phones

[phalse phace]

But who's responsible, the article ultimately asks. The third party supplying the firmware? The parties shipping the phones? The vendors selling the phone without detecting its malware? Or the government agencies lacking a mechanism for collecting reports of malware...

Answer: Russian govt wanting to keep tabs on people who use these cheap push-button phones as burner phones.

Re:Burner Phones

[Ostracus]

Answer: Russian govt wanting to keep tabs on people who use these cheap push-button phones as burner phones.

Seems they might want to move the server out of China then.

Re:

[ehrichweiss]

Only if they don't want China taking the blame. That might be some of the motivation behind the whole thing.

Re: Burner Phones

[Mouse Sperm]

REEEeEEE iTs teh RuSSiAnz agAiN!!!1

Re:

[arglebargle_xiv]

In Putinist Russia, cellphone watch you!

Re: Burner Phones

[bumblebees]

If it was a gov im pretty sure it would be easier ways to keep track of it. And for sure one that did not involve draining the prepaid card. This is for sure some greedy manufacturer subsidizing the manufacturing cost. Or a programmer that was hired to make the cheap firmware.

That attack is more common than people think

[kot-begemot-uk]

Half of the Chinese devices try to call home. And they still get EC and FCC certs - no agency is set up to fight this.

Re:

[OrangeTide]

Each nation needs some kind of consumer protection organization as well as an electronic security and safety organization. The number of people I know who have had bank accounts drained tells me that individuals and industry are not fighting this, perhaps they don't have the tools or perhaps lack the motivation. I really hate having to invent new government agencies to regulate yet another thing under a bureaucracy. But the longer we hemorrhage money the more people will make careers out of exploiting us.

Re:

[NateFromMich]

Each nation needs some kind of consumer protection organization as well as an electronic security and safety organization.

Everything they described in this article is fraud. Fraud is already illegal.

Re:

[OrangeTide]

if you can't enforce the law it's kind of pointless. it'd be like saying that highway speeding is illegal but not having any highway patrol.

Re:

[NateFromMich]

Half of the Chinese devices try to call home. And they still get EC and FCC certs - no agency is set up to fight this.

You mean, no agency does their fucking job because they aren't competent.

Re:

[RockDoctor]

No, he means that no agency, anywhere, is set up to fight this. Specifically, no Russian, American, or Solomon Islands (to introduce an equally relevant 4th party) agency has received orders to investigate Chinese phones on sale in Russia, by Russians. More specifically, none of them (including most reprehensibly, the Solomon Islanders) have both the instructions to investigate this, and the funding to pay for a roof while they do it.

This is not to denigrate the high competence of the Solomon Islanders - i

Re:

[Opportunist]

Wait, isn't the NSA's job to fight this? Or have they been remodeled fully by now for domestic surveillance?

Re:

[RockDoctor]

Do the FCC certify cybersecurity? I've read the requirements for EC electrical safety certification, and they certainly make zero mention of cybersecurity, but it's possible that the FCC do.

Strangely, the BSI regualtions behind my kettle's electrical safety certifiactino also make no mention of cybersecurity, but since it consists of a resistor (heating element), a switch, and a resettable thermal fuse, that doesn't much surprise me.

Perhaps you think that EC (or BSI or FCC) certification addresses more th

Figures

[RitchCraft]

China again

Re:

[flyingfsck]

Hmm, not Russia, Russia, Russia, but China and Russia... therefore it must be Joe's fault.

Re:

[Opportunist]

Look, it's always the fault of whoever you want to tack the blame on. Joe, Donald, China, Russia, Belarus, Ukraine... in the end, whoever you need to blame, you'll find "solid evidence" (read: some webpage) that supports your favorite boogeyman.

Classic? I think not.

[davidwr]

If a push-button phone uses post-Soviet-era technology, it's too new to be considered a "classic" push-button phone. Remember folks, "In Soviet Russia, classic push-button phone calls YOU!"

In modern Russia, the computer in your pocket "phones home" as it spies on you.

Re:

[account_deleted]

Comment removed based on user account deletion

Pretty soon everything will be dead/unusable

[140Mandak262Jamuna]

The POTS (Plain old telephone service) is unusable for quite some time now. All I get is spam and scam, not a single usable caller. for ages, I don't really know I am paying for even now

Email too is gone, useless, just spam

So far WhatsApp and Signal are ok, still they let anyone send me messages, but I can block after the first message. They seem to use less spoofable origination detection and catch mass spammers and block them. Once the scammers find a way to scam them those too will become useless

LTE at chip level is quite cheap and it is possible to give internet connection to any device that gets powered, alarm clocks, usb chargers, ... anything. They can have microphone and transmit voice to anyone in the world.

Where is it all going, I wonder ....

Re:

[antdude]

Everything is pretty much get spams. In person, on medias, phones, etc.

Re:

[BeaverCleaver]

So far WhatsApp and Signal are ok,.

WhatsApp? Really? The same WhatsApp owned by facebook? Maybe you don't see spam _on WhatsApp_ but you can be pretty sure that the platform is being used to harvest data to make advertising somewhere.

Oh and if your email has become unusable, that's on you. At least with email it's easier to get a new address with a new provider and start again.

"Push-button phones"? WTF?

[DontBeAMoran]

Didn't we used to call them "dumb phones" or just "cellphones"? Why do idiots keep renaming things that already have names?!

Re:

[Opportunist]

So the cool kids don't have to use the terms we old farts use.

Re:

[anonymouscoward52236]

Not "push button phones", "dumb phones", or "cellphones". These have a name and the editor of the article was an idiot. These are called FEATURE PHONES. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[iggymanz]

haha, no that is recent name too for a very old thing.

Just like kids at work saying "live check" for when they hand out a paper bonus check. No, it's just a check. The normal EFT for payroll isn't really a check at all.

In the USA

[p51d007]

It's called GOOGLE (if you have an android phone) It's called SIRI (if you have an apple phone)

Why setup 2G tower?

[Gabest]

I know only old and other challenged people use these phones, but how can you not notice those expensive SMS's on your monthly bill?

Re:

[Vliegendehuiskat]

Unlimited subscriptions without data go as low as €8 these days.

Re:

[BeaverCleaver]

Unlimited subscriptions without data go as low as €8 these days.

If the account holder doesn't get charged it wouldn't be a problem. Sure, premium SMS services are run by scum, but telcos are run by scum too. So if one bunch of scumbags is trying to rip off another bunch of scumbags, and the customer's bill doesn't change, that seems OK.

Unfortunately, I fear most of these are probably prepaid phones, and the poor suckers who buy them find that they have to go and buy more phone credit way more frequently than they should.

Re:

[RockDoctor]

You get a bill?

And you actually read it?

Reminds me why Right to Repair is important.

[Goatbot]

Kinda o/t but events like this emphasize to me why I want devices I can open an inspect. By open I mean both in the physical sense and the software sense. A simple once over the components so you know what your working with can make you much more aware of future side channel attacks. Without the right to repair issues like this depend on people putting themselves at risk of both criminal and civil penalties by researching and publishing this type of information.

Re:

[RockDoctor]

Yeah - I vaguely looked at that a few months back. The only such phone that vaguely approaches that level of accessibility costs most of a month's disposable income, and would take me several months to inspect in any sense "thoroughly".

It is not - in a very literal, fiscal, sense - worth it.
If I want something resembling anonymity, I can get it for about 1/100th of the cost by buying a burner phone for cash over the counter in a shop too small to keep their anti-robbery tapes for more than a few days.

Russia is a basket case

[Malays2 bowman]

They are sliding deeper and deeper into right wing fascism, militarism, and the country has always been corrupt to the core. They have the highest number of neo-Nazis of any company of the world, and violent attacks on minorities and the LGBT community is very common there.

A malware laden phone sold on the market is to be expected there, and really it's the least of their problems.

Re: Russia is a basket case

[Malays2 bowman]

They have the highest number of neo-Nazis of any COUNTRY in the world, "

Re:

[account_deleted]

Comment removed based on user account deletion

Submission filter?

[Anonymous Crowded]

Shouldn't the +1 "malware" topic be offset by -1 "Russia" (not news)?

Other sites do the same thing +1 "gas fire" -1 "Florida" eh?