Information Security

Trojans and Backdoors in Budget Mobile Phones

A security researcher purchased five budget button phones and discovered that four contained undisclosed malicious functionality, including tracking, premium SMS trojans, and SMS-intercepting backdoors.

Introduction

TL;DR: A significant number of simple button phones available in stores contain unwanted undocumented features. They can automatically send SMS messages or access the internet to report the fact of purchase and use of the phone (transmitting the phone's IMEI and SIM card IMSI). Some models have a built-in trojan that sends paid SMS messages to premium numbers with text loaded from a server, and there are devices with a real backdoor that forwards incoming SMS messages to an attacker's server.

The study of mobile phones began with a simple idea: can these cheap and widely available handsets be used to receive SMS messages on a computer? Phones are much cheaper than common USB GSM modems, plus most models support 2 SIM cards, and some even up to four.

Due to the almost complete lack of information about the availability and capabilities of AT ports in modern phones, I decided to buy several maximally different devices to test their functionality.

But how to choose truly different phones?

The Three Pillars of Mobile SoCs

There are three main manufacturers of system-on-chip solutions for button phones:

  • RDA Microelectronics — MIPS architecture, 2G standard. No longer manufactured but still sold. The company was acquired by Spreadtrum.
  • Spreadtrum — ARM architecture, 2G/3G/4G standards. Rebranded as Unisoc, but continues to produce chips under the old brand.
  • Mediatek — ARM architecture, 2G/3G/4G standards. Has product lines for smartphones, button phones, IoT, embedded devices, etc.

Each chip manufacturer provides its own SDK for developing firmware based on their chips. SDKs from different manufacturers differ drastically and are typically written for a specific chip line and purpose. The functions of the end device also depend on the operating system: the SDK may be integrated into a real-time OS through a HAL.

You don't need to buy dozens or hundreds of phones for thorough testing: it's enough to buy several models from different SoC manufacturers with different operating systems.

What I Bought and What I Found

I purchased nearly random phones, guided by the visual appearance of the interface in photos and video reviews, and sparse information about the SoC available online:

  • Inoi 101 (RDA8826/SC6533, 600₽)
  • DEXP SD2810 (SC6531E, 699₽)
  • Itel it2160 (MT6261, 799₽)
  • Irbis SF63 (SC6531DA, 750₽)
  • F+ Flip 3 (SC6531DA, 1499₽)

Pretty quickly I realized that something was wrong with the phones...

Classification of Unwanted Functions

The malicious activity of the phones can be divided into three categories:

1. Sending SMS and Accessing the Internet for "Sales Tracking"

The most harmless function, not causing significant financial damage to the mobile account. The device, without the user's knowledge, sends an SMS (to a regular phone number) or accesses the internet, transmitting the phone's IMEI number and SIM card IMSI to an unidentified organization or individual.

Data transmission occurs either once until the device is factory reset, or after each battery removal.

2. Trojan Sending SMS to Premium (Short) Numbers After Loading Text and Number from a Server via the Internet

A function that systematically drains funds from the mobile number's balance. In addition to frequent automatic and covert internet access (which itself costs money on non-data plans), the mobile device sends separately charged SMS messages to short numbers, intercepts the confirmation SMS, and sends the confirmation text in response.

3. Backdoor Intercepting Incoming SMS Messages and Sending Them to a Server

Allows attackers to use your phone number for registrations on services requiring SMS confirmation. The phone periodically accesses the internet and receives commands from a server, and the results of command execution are sent back to the server.

Methods of Detection and Analysis of Malicious Activity

Checking mobile operator billing details — a method available to anyone. Simply insert a working SIM card into the phone, turn it on, and leave it for a full 24 hours, then request a detailed report as a file through the mobile operator's online account. This method reveals the fact of internet access (without host addresses or transmitted content), the fact of SMS sending and the recipient's number, and the exact time of actions taken.

Billing details make it easy to understand whether the phone contains unwanted functionality, without getting into the specifics.

Firmware analysis — a resource-intensive method requiring deep knowledge of phone architecture and reverse engineering techniques, but allowing detailed analysis of malicious firmware functions, as well as their removal.

Firmware analysis consists of three stages:

  1. Obtaining a dump from the phone or finding and downloading firmware online
  2. Unpacking compressed firmware sections if necessary
  3. Manually examining the firmware code

The simplest and most universal, but expensive or dangerous method of dumping firmware is using so-called "boxes" — hardware-software complexes from third-party developers for flashing and restoring a wide range of phones. About 15 years ago, boxes were widespread and in demand, as each phone manufacturer had its own cable, its own method of connecting to a computer in service mode, and often required connecting to contact pads in the battery compartment. Modern phones generally don't need this, and current "boxes" are just special software capable of performing all operations via USB connection.

For dumping firmware, I used a cracked version of Miracle Box. To prevent easy comparison of modifications made by crackers, the cracked version has Enigma Protector applied on top of VMProtect, which is used in the original software. Because of this, the program takes about a minute to start and lags when rendering buttons and components when switching tabs.

The crackers didn't bother disabling the program's internet functions, which allowed the authors to detect the use of the cracked version and, apparently, execute arbitrary code on the user's computer: threatening messages about collecting and sending all saved passwords to the server appear in the log window.

The advantage of such software is full process automation: the program itself determines the specific processor model, flash memory address, and its size. Some boxes contain built-in exploits for bypassing Secure Boot and other similar protections.

There are also alternative methods for obtaining dumps. For Mediatek chips, you can use the official MTK Flash Tool program, which has a function for reading arbitrary memory addresses, and for RDA you can use a ready-made script that can read including RAM.

Official software for Spreadtrum: SPD Flash Tool / ResearchDownload.

For unpacking firmware from the main ALICE partition of Mediatek chips, you can use the third-party tool unalice, which decompresses the file.

I've already written about working with RDA firmware in a separate article. The simplest method is to let the phone unpack everything itself, then extract the unpacked data from RAM while the phone is running.

On Spreadtrum, the main part of the firmware is compressed with modified LZMA, for which no public unpacker exists. For unpacking, you need to modify the uncompressed code so that it performs decompression using the hardware device and sends the unpacked code to the computer, but on my only device the UART port was configured for DSP, not the main processor, and I couldn't switch it. Other output methods could be used (for example, using the speaker or flashlight as a transport), but I decided against it.

2G Base Station — a convenient and easy-to-configure method for mass practical analysis of malicious activity without preliminary preparation of each device, but requiring significant capital expenditure for purchasing SDR equipment.

The method provides access to all GSM/GPRS network traffic, with the ability to view and modify it on the fly.

My configuration:

  • bladeRF x115 ($650)
  • Raspberry Pi 400 ($100)
  • Open-source and free base station software YateBTS
  • Wireshark for analyzing GSM and internet traffic

BladeRF is powered via USB and requires no additional components. A regular dipole antenna is sufficient to get started.

YateBTS autonomously implements all components of the GSM stack, making it installable and configurable in literally 30 minutes. It's perfectly suited for this kind of research!

The Phones

Inoi 101

The first and "cleanest" device purchased — Inoi 101.

This phone does not contain malicious functions. It has typical unwanted things like SMS subscription menus and paid games, but the device does not perform any actions independently or covertly.

Itel it2160

Itel is a Chinese manufacturer producing devices for developing countries. It's part of the Transsion holding, which unites the brands Tecno, itel, Infinix, and Spice.

The Itel it2160 model reports "a sale" via the internet, without warning.

A panel was found at the domain asv.transsion.com containing information about sold devices, which they send to the server themselves:

  • IMEI
  • Country
  • Model
  • Firmware version
  • Language
  • Activation time
  • Base station identifier (LAC/TAC)

The base station identifier allows determining the phone's location with accuracy of approximately 5 kilometers.

Panel address: http://asv.transsion.com:8080/openinfo/open/index

F+ Flip 3

Flip 3 from OEM supplier F+ reports "the fact of sale" via SMS to the number +79584971255, sending the IMEI and IMSI in the message body.

Does not contain a browser, does not access the internet.

Firmware decompilation reveals the presence of other phone numbers for various countries: +92313568243 for Pakistan (PLMN 410), +8804445600006 for Bangladesh (PLMN 470), 18049479956 for Azerbaijan and Kazakhstan (PLMN 400, 401), +9156767215 for India (PLMN 404, 405).

In addition to IMEI and IMSI, the SMS text contains three constants, apparently indicating the phone model and batch number (manufacturing date).

User reviews:

After turning on, the device sent some SMS to the number 9584971255. Most likely, I'll return the device to the store.

Confirmed. The phone itself sent an SMS to this number +79584971255. 2 rubles were deducted, my mobile operator is MTS.

Archives of firmware from several BQ brand models were found online, which are very similar to F+ firmware. Apparently, this is not a repackaged firmware archive from the OEM manufacturer, containing besides the firmware itself also files necessary for its debugging. In particular, the archives contain firmware in .elf format, without compressed sections, with debug symbols.

Opening the .elf file in IDA, we can see the original function and variable names.

The SMS sending function is called gmb_sms_sales_send_sms_ext, where gmb is probably gmobi — an SMS subscription service provider.

I tried to get details about this functionality from the manufacturer. The following dialogue took place with F+:

The F+ Flip 3 button phone automatically and invisibly to the user sends SMS messages to the number +79584971255 when certain SIM cards are inserted.

For what purpose is this functionality embedded in F+ devices?
>>> No information.

Why is it not declared on the official website, box, or device instructions?
>>> Because this functionality was not implemented by our engineers.

How is the received data processed?
>>> No information.

What legal or natural person owns the number +79584971255?
>>> No information.

06/03/2021: We are working on resolving this issue. Newer revisions with new firmware do not have this problem.

06/15/2021: The service center has received firmware SW06 which resolves this problem.

The request to make the updated firmware version publicly available was refused, and further questions were ignored.

From BQ, whose firmware I analyzed and found similar functionality (sending SMS to +79629511090), I received only advice to contact the service center, with further questions ignored.

DEXP SD2810

DEXP SD2810 from the DNS store chain brand.

A dangerous phone that drains money from your mobile account.

  • Does not contain a browser, but connects to GPRS
  • Reports "a sale" via the internet, without warning
  • Transmits IMEI, IMSI
  • Contacts a C&C server on the internet and executes its commands
  • Sends paid SMS to short numbers with text received from the server

The phone periodically sends POST requests over an unencrypted HTTP connection to the domain www.mgs123.com, and executes server responses to send SMS messages.

The server specifies which number to send the SMS to (FNUM directive, number 4169), the message content or prefix (FCON directive, message "gooo mgs"), and also, among other things, the expected response text (CCON) and the reply SMS text (GRABSMS).

The domain www.mgs123.com is registered in China, and hosting is also located in that country on the Alibaba cloud.

Excerpt from a news report about a consumer:

On 01/02/2019, we purchased a DEXP SD2810 phone. On the day of purchase, we inserted SIM cards and after 2 hours, 50 rubles were deducted from the account. According to the billing details, I saw an SMS sent to number 4446.

On 01/15/2019 and 02/02/2019, SMS messages were also sent to the same number 4446, and 50 rubles were deducted for each.

DEXP did not respond to the inquiry about the malicious functionality.

Irbis SF63

Model SF63 from OEM supplier Irbis.

A dangerous phone that uses your phone number for commercial purposes, to register third parties on internet services.

  • Does not contain a browser, but connects to GPRS
  • Reports "a sale" via the internet, without warning
  • Transmits encrypted data to a server
  • Contacts a C&C server on the internet and executes its commands

This "grandma phone" came from the store with a "clean," updated firmware. Only one firmware version for this model was found online, and it was installed on the device. It turned out to contain a backdoor.

The phone, as with DEXP, sends POST requests over HTTP, but this model encrypts the transmitted data with a proprietary algorithm using, apparently, a fixed key — the encrypted parameters are identical most of the time, and when they change, the changes are minor.

Data is transmitted to the domain hwwap.well2266.com.

The domain is registered and hosted in China, on the Alibaba cloud.

Excerpt from a note about the grandma phone:

It all started on October 24, 2020. The phone happily sent me a notification that a new contact had registered on Telegram. Sleep vanished instantly because my girlfriend's grandmother had registered on Telegram.

Excerpt from another note:

Today I get a message on Telegram that my grandmother is now on Telegram! I was very surprised, because my grandmother is over 80 years old, has a button phone with no internet access. I called her to check, and she said she recently received an SMS code from the Telegram number.

Results

4 out of 5 phones contain undeclared functionality, of which:

  • 2 models drain money from the account (send data after purchase via SMS/internet);
  • 1 model accesses the internet and sends paid SMS to short numbers;
  • 1 model forwards incoming messages via the internet.

Who Is to Blame?

First and foremost, the brand under which the phones are sold is to blame. The brand orders the development of the device itself and firmware from an OEM manufacturer but does not check the final device for undeclared capabilities. For some reason, many brands do not post firmware on their website and instead send users to a service center for updates in case of problems.

Brands F+ and BQ deny the problem or remain silent about it.

The OEM manufacturer is ready to implement any whim of the brand or third-party module manufacturer, at your expense.

The absence of a specialized government body that would deal with such problems. The relevant ministry checks only product certification for compliance with global and national communications standards, but not the functionality of the final device.

The ministry recommended contacting consumer protection authorities, shifting the problem to the seller-buyer relationship.

The Ministry of Digital Development, Communications, and Mass Communications has reviewed your inquiry and reports the following.

According to the Regulations, the Ministry exercises functions for developing and implementing state policy in the field of communications.

We inform you that the communication devices have passed the mandatory conformity assessment procedure.

It should be noted that in accordance with the Rules, when declaring telephone devices, checking for the presence or absence of automatic short message sending is not provided for.

Federal state supervision in the field of consumer rights protection is carried out by the consumer protection authority.

What Should You Do?

There are an enormous number of mobile phones, and it's impossible to check them all.

  • Buy only proven global brands: Nokia phones do not contain malicious functionality, but they cost 2-4 times more than cheaper alternatives;
  • Read reviews before buying: it's better to buy a proven model that has been on the market for a long time with an impeccable reputation than to risk with new releases;
  • Monitor new phone behavior after purchase for 24 hours using operator billing details;
  • Write to consumer protection authorities and the manufacturer if you detect suspicious activity.

...And What About Receiving SMS?

None of the purchased phones provides a full-fledged AT port via USB or Bluetooth. Reading SMS messages from a computer is not implemented anywhere.

Updates

  • An unpacker for the Spreadtrum processor partition has been created.
  • A DNS representative has launched a recall campaign for DEXP B281 and DEXP SD2810 models.
  • A firmware dumper for SC6531E/SC6531DA chipsets has been created.

Further reading