20.5k unique visitors in the last 3 days

SMS-Sending Spyware Preinstalled on Some Russian and Chinese Feature Phones

A researcher tested various phones and found some sent messages that cost money whilst others signed users up for online services.

A security researcher claims that several feature phones widely sold in Russia have preinstalled malware that leads to fraudulent usage charges or surveillance of the user’s messages. A post by user ValdikSS on the Russian collaborative blog Habr stated that he checked several handsets and found examples of malware that would:

  • send secret SMS messages sharing the handset’s IMEI and the SIM card’s IMSI numbers;
  • incur usage fees by repeatedly sending messages to short codes supplied using the internet; or
  • secretly register for online services by sending SMS confirmations to messages received.

Both the Russian-made Flip 3 from F+ and the Chinese-manufactured Itel it2160 were found to send SMS messages with the IMEI and IMSI, effectively ‘announcing’ the sale of the device when it is first switched on.

The DEXP SD2810 is made for and sold by the Russian DNS chain of retail electronic stories. ValdikSS identified that this handset both announces it sale by GPRS and then receives commands from www.mgs123.com that tell the device to send SMS messages to various numbers.

The Russian-made Irbis SF63 (pictured) was found to announce its sale by GPRS, then would exchange encrypted comms with a web domain registered in China, hwwap.well2266.com. These encrypted messages would apparently instruct the phone to send confirmation SMS messages so the handset was enrolled to use services without the user’s knowledge. ValdikSS cited an example where the user was signed up to use the Telegram messaging app.

The issue of spyware being installed on handsets has gained prominence due to the Pegasus Project revelations about governments using Israeli-developed software to monitor journalists and activists. However, the risk of handsets engaging in automated communication without a user’s knowledge is far from new. Security specialists at AdaptiveMobile Security identified that the ‘Simjacker’ vulnerability, which relies upon SMS messages hidden from users, has been used for surveillance since 2017. In 2020 Taiwan’s police warned about cheap handsets manufactured on the Chinese mainland that come with software that dupes users into playing online games that cost them money.

Even the dumbest feature phone is also a computer that runs software. This software can be used by criminals and unethical suppliers to spy on users or steal from them. Networks, governments, retailers and consumers must remain perpetually vigilant to counter the risk of handsets engaging in automated communications that none of them understand nor approve of.

You can read about the privacy tests performed by ValidkSS (in Russian) by clicking here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email