[HN Gopher] Malware found preinstalled in classic push-button ph... ___________________________________________________________________ Malware found preinstalled in classic push-button phones sold in Russia Author : giuliomagnifico Score : 188 points Date : 2021-09-05 07:15 UTC (15 hours ago) (HTM) web link (therecord.media) (TXT) w3m dump (therecord.media) | legrande wrote: | Presume _any_ phone you own has malware in it, and adjust your | behavior accordingly. This means putting the phone in a Faraday | sleeve when not using it, so it can 't communicate with a C2, | putting black nail varnish on the camera, keeping the phone in | another room when having a sensitive conversation, etc | | For doing the crimes, use a desktop PC with a TailsOS flash drive | and communicate with XMPP with OTR preferably with Intel | Management Engine neutered and removed. Do _Not_ use a smartphone | or dumbphone for criminal dealings. | RotaryTelephone wrote: | Found the criminal. | recursive wrote: | Not hard to do. It would be harder to find a non-criminal. | askonomm wrote: | Can't tell if you are being serious or not. | celim307 wrote: | For a certain demographic this is good advice | askonomm wrote: | For criminals, I guess? | recursive wrote: | Everyone's a criminal. Some just haven't been charged or | convicted yet. | celim307 wrote: | Business secrets, political dissidents, journalists. | Let's not start the "if you got nothing to hide" argument | atok1 wrote: | Hey, we can't slander or marginalize any group now. | Criminals have rights! | alisonkisk wrote: | why use the phone at all? its still not safe, because it | tracks your movements. | contravariant wrote: | My preferred method is to skip to the end and just carry around | a brick. Attaching a message to it and throwing it is a pretty | effective way of communicating, provided the recipient is using | windows. | grishka wrote: | But what if they are using linux | [deleted] | dtgriscom wrote: | You have to tie a string to it, so you can reclaim it before | sending your next message. | ronsor wrote: | You can't remain anonymous if you tie a string. | Scoundreller wrote: | From what appears to be a russian reddit about the one that opens | a GPRS connection: | | > Here it was one to one, on a simple dialer with a flashlight | from Fly, Bata bought it, because he liked the big screen and big | buttons, what he needed, he can't even write SMS, only calls, so | the tariff is without the Internet. And it began, once every two | or three days, Internet access (usually at night) for 15-20kb, | and the operator rounds up to a megabyte. Just like you, I turned | off the data transfer in the phone, deleted the dots, everything | was useless. | | https://pikabu.ru/story/troyanyi_i_byekdoryi_v_knopochnyikh_... | | The (a?) Russian seller has now recalled the phone: | | > DNS announces a recall campaign for two models of Dexp cell | phones: | | > DEXP B281 2.8 "GSM / 2SIM / 240x320 / 0.3MP / MicroSD / BT / FM | / 1000mAh > DEXP SD2810 2.8" GSM / 2SIM / 240x320 / 0.3MP / | MicroSD / BT / FM / 1800mAh | | > due to possible manufacturing defect. | | https://www.dns-shop.ru/news/374ef223-0bc4-11ec-a2b1-00155db... | [deleted] | markus_zhang wrote: | Guess I need to learn how to dump the firmware of a dumb phone | eventually. Does anyone have any advice about this? I'm reading | some articles but looks like "dumb phone" consists of a wide | range of phones from authentic Nokia old timers to who-knows | companies. | Andrew_nenakhov wrote: | Once I have bought a no-name tablet made in China that had | malware installed in an unremovable 'browser' app. It was | displaying ads on top of other apps, and was _installing new | apps_ onto tablet, and also restoring deleted apps, and also | installing false copies of well known apps. It was rather ok | because i bought it with the intention of tearing it apart, but | still, the lesson for me was, _NEVER_ enter sensitive personal | data in devices of unknown origins. | ronsor wrote: | Hey, it technically was a browser app. It just lets the shady | developers browse the contents of your tablet. | userbinator wrote: | Keep in mind that the devices from manufacturers which people | usually "trust" more also have a similar, although less- | blatantly-malicious, degree of disobeying you by default | (silent automatic updates, unremovable system apps, etc.) | | You could root it, and that would actually give you full | control to delete/install/modify whatever you want. | | I think the real lesson here is that if you do not have full | control over a device, it is not truly yours and may disobey | you. | pessimizer wrote: | I agree, this is basically how all tech companies work now. | The only thing that holds it back is the outrage cycle, which | | a) only turns its spotlight on companies above a certain | size/visibility, | | b) can be defeated with a large enough marketing/lobbying | spend, and | | c) can be waited out by companies with other lines of | business that bring in profits, and | | d) can be combated with cycles of withdrawing, quietly | reintroducing, then withdrawing again, and reintroducing | again until | | d1.) media outlets get bored with it, or | | d2.) all other companies in the same line start to do the | same thing, a traditional way of price-fixing. Once this | happens, the only way you'll be stopped is with legislation, | because e.g. every TV has banner ad pop-ups from the | manufacturer now. | jmrm wrote: | > every TV has banner ad pop-ups from the manufacturer now. | | AFAIK, Samsung and cheap Chinese brands (Vizio, TCL, and | similar) do this. | | Months ago I was between buying a LG or a Sony because they | don't have bad reputation around this, and the LG I finally | bought haven't any ad. Also, cookies, extra internet stuff, | and the Alexa service can be deactivated separately without | affecting apps like Netflix | Andrew_nenakhov wrote: | Of a well-known manufacturers, I noticed Xiaomi to do some | real shit: it had an app preinstalled that displayed ads | above other apps. But at least when I identified the culprit, | it was possible to remove it completely and the problem went | away. | kofejnik wrote: | I had pretty much same experience with my Xiaomi phone (in | my case, push ads were coming from a hidden non-removable | xiaomi service) | throw_nbvc1234 wrote: | They're not the same though; these problems need to be looked | at through a combination of ability (to exploit) and | motivation. Apple/Google isn't going to try and steal your | identity, bank account info, or numerous other "small" things | that some unknown and unaccountable company selling malware | infected hardware could do. | | It's like when people state that online voting should be safe | because online banking is safe. I'm pretty sure if a nation | state really wanted to steal a few grand from your | (individual) bank account, they'd be able to do it. But it'd | probably cost them more money/power in doing so then it's | worth it. | labster wrote: | Online banking is safe because it is auditable and | traceable. Voting has anonymity and chain-of-custody | requirements that make doing it online extremely difficult. | guerrilla wrote: | You're moving the goalpost from what Andrew and the person | responding said though. The Chinese phone is acting just | like a Samsung phone, only a tad bit worse. The Russian | phone and the ones you mention are of course another story | like you say but that's not what you were responding to, | which is a valid point. | drran wrote: | > Apple/Google isn't going to try and steal your identity, | bank account info, or numerous other "small" things | | You can believe in that, and trust them, but you cannot | prove that, unless you have access to the source of | everything installed by Google/Apple, and source of third | party apps, favored by Google/Apple. But, even if you're | working for a government agency and have access to sources, | it's still a monumental task to do, because of the volume | of the sources. It's why we, Linux owners, were crying when | trivial initd and trivial shell scripts, which are easy to | read and understand in about an hour or two, were replaced | by Systemd, which may take days just to read source. | gnopgnip wrote: | Apple, Amazon, Google are not going to steal your credit | card, identity, bank account info because you could sue | them, and because consumer protections agencies would | pursue them. The same is not true if you buy a no name | tablet with malware pre loaded | google234123 wrote: | > Linux owners, were crying when trivial initd and | trivial shell scripts, which are easy to read and | understand in about an hour or two, were replaced by | Systemd | | Nah, most Linux owners didn't care and the fact that the | most distribution voted with their feet to switch should | say enough. Also, full init script were not trivial. | pessimizer wrote: | > Apple/Google isn't going to try and steal your identity, | bank account info, or numerous other "small" things that | some unknown and unaccountable company selling malware | infected hardware could do. | | They all _could_ do it, but are you aware of any | manufacturer-installed malware or rootkits on a device that | have? They don 't steal your bank account info or | impersonate you _ever_ as far as I know, they make money | off you in the same way every other company does. | | If we can't show any instances, then it becomes difficult | to find this materially worse than what other tech | companies do. It becomes more like embarrassment from being | owned by a obscure foreign company rather than a famous | American one. | Razengan wrote: | > _They all could do it_ | | That account name is apt. _Everybody -could-_ do it. Even | your spouse, your best friend, your parents. They _could_ | all steal your shit. But for sanity's sake a balance has | to be struck between trust and paranoia. | krono wrote: | The main difference, of course, being that your best | friend is someone you could actually make having to face | the legal consequences (and/or punch in the face). | | These oversized American corporations are practically | untouchable to the majority of people. They'll pay their | laughable fines, pinky promises to better self-regulate | for real this time, and move on. Leaving you in the dirt. | [deleted] | orbital-decay wrote: | Before a certain Android version it was pretty common for | Aliexpress sellers to plant unremovable ads, third-party | stores, and god knows what else into the otherwise clean | firmware, to be able to sell the phone with a discount. They | usually didn't deny it, or even genuinely wondered - what's | wrong with it? You bought it for a cheaper price after all, you | should be happy, the seller is happy, everyone is, have a nice | day sir. (a real conversation I had years ago) | Engineering-MD wrote: | It is the potential of hardware compromise that concerns me. | Software can be wiped, but if the hardware itself contains | backdoors, software can then be install at any time. | Furthermore, given the global supply system, its so hard to | confirm that any hardware is not compromised. | leephillips wrote: | When I need to replace my phone, how to I make sure my next one | has never entered Chinese-controlled territory at any stage of | its manufacture--including all its components? | mnd999 wrote: | You can't. | Engineering-MD wrote: | Can you instead verify that each component is uncorrupted, a | hardware hash function if you will? Looking at density, | centre of gravity, weight, appearance, and/or radiographic | imaging? | 3r8Oltr0ziouVDM wrote: | https://shop.puri.sm/shop/librem-5-usa ? | leephillips wrote: | $1,999: the cost of telephonic security. Looks good. | Scoundreller wrote: | > but connects online via GPRS behind the user's back and sends | data to a remote server, including phone IMEI and IMSI codes. | | This could end up costing you an absolute fortune in Canada if | you use data without a mobile plan. | | > The phone sends an SMS with the phone IMEI and IMSI codes to | phone numbers hardcoded in the firmware. | | This could be fun. | mdp2021 wrote: | > _caught subscribing users to premium SMS services_ | | If one thought of espionage... | | > _Also intercepts SMS confirmation messages and replies on | behalf of the user_ | | > _All the remote servers that received this activity were | located in China_ | orbital-decay wrote: | Espionage is highly unlikely since nobody important will buy | cheapest of the cheap dumb phones. Most likely it's used for CC | theft, spam, proxying, forcing unwanted paid subscriptions, and | other scamming schemes. That DEXP is involved is especially | interesting because it's a face brand for DNS, a large Russian | retailer. While all these models are Chinese OEM phones with a | label slapped on them and little to no modification otherwise, | it's possible that DNS is involved. | | I also want to mention that "Russian hacker groups don't do | cybercrime at home, and the state lets them do it abroad" meme, | which half of HN seems to sincerely believe, is _extremely_ | misguided, and just sounds bizarre to anyone who follows the | topic. There is a continuum of loosely related Russian-speaking | criminals in Russia, Ukraine, Belarus, Kazakhstan, and Baltic | States (mostly Lithuanian criminals who traditionally work as | the EU bridge for others), and it 's always hard to tell who | located where. Some of them have some ties with the Russian | state (regardless of the country of origin), most don't. | Domestic cybercrime is _rampant_ in Russia, often involves big | names (such as top 3 mobile operators in Russia) and the mere | notion it 's controlled in some way is ridiculous. The only | issue is there's not much money to steal, so they turn to EU | and US targets. | ahsima1 wrote: | Actually, considering the low pay and the rules, prohibiting | snartphones at many russian defence companies, cheap dumb | phones may be a great target for espionage. | orbital-decay wrote: | _> and the rules, prohibiting snartphones at many russian | defence companies_ | | In such companies, you typically leave any electronic | devices on you (including watches) at the gate, from | clocking in to clocking out. Nobody would care if your | phone is dumb, it's still breaking the rule. | ahsima1 wrote: | Depends, some do indeed ban all electronic devices, | others only ban smartphones and any devices with cameras. | Probably after this incicident most of them will move | towards the former policy. | dantyti wrote: | >mostly Lithuanian criminals who traditionally work as the EU | bridge for others | | could you share any source for this? | boomboomsubban wrote: | >Espionage is highly unlikely since nobody important will buy | cheapest of the cheap dumb phones | | I agree that this event is unlikely to be espionage, but | someone important might buy a cheap dumb burner phone. I | wouldn't put it past an intelligence agency to wholesale | compromise cheap dumb phones for that reason. | thriftwy wrote: | According to the original article, DEXP has stopped selling | these phones and is doing internal investigation. | | The real criminal here is Russia's big three (I would say, | excluding MTS but including a new hot contender Tele2) who | repeatedly rob vulnerable and elderly people via "paid | content" schemas which have zero usefulness outside of scam. | sys_64738 wrote: | How do we never hear from the individuals who actually wrote the | code to do these things? We be great to get an expose on the | motivations and rationale for all these creeper spyware installed | by rogue companies. | srvmshr wrote: | In Russia, you don't own a phone; the phone owns you | coldtea wrote: | So just like in the US? | jdthedisciple wrote: | Please -- evidence? (In case you're actually insinuating that | the US has precedence, or even present cases, of sth. like | this) | [deleted] | valparaiso wrote: | Russia is already authoritarian state where people are jailed | for no reason and USA is leaning towards it with left- | extremists agenda. | 3r8Oltr0ziouVDM wrote: | Yes. | Scoundreller wrote: | Apple pulls some tricks like this with otherwise hidden-from-user | SMSs. | | In France, some cheap SIM cards charge per mb and per SMS until | you register a plan. So I carefully disabled mobile data, avoided | SMS, loaded 10 EUR of credit over wifi, which 'activated' the | phone on the network, but when I went to sign up for the 10 EUR | plan, I found I only had 9,95 EUR left. | | As soon as credit was loaded, my iPhone sent an SMS ping to an | Apple shortcode to tell iMessage my new number. The sending and | record of this SMS was completely hidden from the user on the | phone. Cue some he-said she-said with the carrier about whether I | did or didn't send an SMS. Most mobile providers zero-rate | shortcodes to Apple and hide it on their billing system too, but | not Lebara. | | So I had to add 5 EUR more of credit just to buy the 10 EUR | package for the month. | uzakov wrote: | Link to the original research https://habr.com/ru/post/575626/ | greenyoda wrote: | Translation from Russian to English: | https://translate.google.com/translate?hl=&sl=ru&tl=en&u=htt... ___________________________________________________________________ (page generated 2021-09-05 23:00 UTC)