SMS-Sending Spyware Preinstalled on Some Russian and Chinese Feature Phones

A security researcher claims that several feature phones widely sold in Russia have preinstalled malware that leads to fraudulent usage charges or surveillance of the user’s messages. A post by user ValdikSS on the Russian collaborative blog Habr stated that he checked several handsets and found examples of malware that would:

  • send secret SMS messages sharing the handset’s IMEI and the SIM card’s IMSI numbers;
  • incur usage fees by repeatedly sending messages to short codes supplied using the internet; or
  • secretly register for online services by sending SMS confirmations to messages received.

Both the Russian-made Flip 3 from F+ and the Chinese-manufactured Itel it2160 were found to send SMS messages with the IMEI and IMSI, effectively ‘announcing’ the sale of the device when it is first switched on.

The DEXP SD2810 is made for and sold by the Russian DNS chain of retail electronic stories. ValdikSS identified that this handset both announces it sale by GPRS and then receives commands from that tell the device to send SMS messages to various numbers.

The Russian-made Irbis SF63 (pictured) was found to announce its sale by GPRS, then would exchange encrypted comms with a web domain registered in China, These encrypted messages would apparently instruct the phone to send confirmation SMS messages so the handset was enrolled to use services without the user’s knowledge. ValdikSS cited an example where the user was signed up to use the Telegram messaging app.

The issue of spyware being installed on handsets has gained prominence due to the Pegasus Project revelations about governments using Israeli-developed software to monitor journalists and activists. However, the risk of handsets engaging in automated communication without a user’s knowledge is far from new. Security specialists at AdaptiveMobile Security identified that the ‘Simjacker’ vulnerability, which relies upon SMS messages hidden from users, has been used for surveillance since 2017. In 2020 Taiwan’s police warned about cheap handsets manufactured on the Chinese mainland that come with software that dupes users into playing online games that cost them money.

Even the dumbest feature phone is also a computer that runs software. This software can be used by criminals and unethical suppliers to spy on users or steal from them. Networks, governments, retailers and consumers must remain perpetually vigilant to counter the risk of handsets engaging in automated communications that none of them understand nor approve of.

You can read about the privacy tests performed by ValidkSS (in Russian) by clicking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.