[HN Gopher] Malware found preinstalled in classic push-button ph...
___________________________________________________________________
Malware found preinstalled in classic push-button phones sold in
Russia
Author : giuliomagnifico
Score : 188 points
Date : 2021-09-05 07:15 UTC (15 hours ago)
(HTM) web link (therecord.media)
(TXT) w3m dump (therecord.media)
| legrande wrote:
| Presume _any_ phone you own has malware in it, and adjust your
| behavior accordingly. This means putting the phone in a Faraday
| sleeve when not using it, so it can 't communicate with a C2,
| putting black nail varnish on the camera, keeping the phone in
| another room when having a sensitive conversation, etc
|
| For doing the crimes, use a desktop PC with a TailsOS flash drive
| and communicate with XMPP with OTR preferably with Intel
| Management Engine neutered and removed. Do _Not_ use a smartphone
| or dumbphone for criminal dealings.
| RotaryTelephone wrote:
| Found the criminal.
| recursive wrote:
| Not hard to do. It would be harder to find a non-criminal.
| askonomm wrote:
| Can't tell if you are being serious or not.
| celim307 wrote:
| For a certain demographic this is good advice
| askonomm wrote:
| For criminals, I guess?
| recursive wrote:
| Everyone's a criminal. Some just haven't been charged or
| convicted yet.
| celim307 wrote:
| Business secrets, political dissidents, journalists.
| Let's not start the "if you got nothing to hide" argument
| atok1 wrote:
| Hey, we can't slander or marginalize any group now.
| Criminals have rights!
| alisonkisk wrote:
| why use the phone at all? its still not safe, because it
| tracks your movements.
| contravariant wrote:
| My preferred method is to skip to the end and just carry around
| a brick. Attaching a message to it and throwing it is a pretty
| effective way of communicating, provided the recipient is using
| windows.
| grishka wrote:
| But what if they are using linux
| [deleted]
| dtgriscom wrote:
| You have to tie a string to it, so you can reclaim it before
| sending your next message.
| ronsor wrote:
| You can't remain anonymous if you tie a string.
| Scoundreller wrote:
| From what appears to be a russian reddit about the one that opens
| a GPRS connection:
|
| > Here it was one to one, on a simple dialer with a flashlight
| from Fly, Bata bought it, because he liked the big screen and big
| buttons, what he needed, he can't even write SMS, only calls, so
| the tariff is without the Internet. And it began, once every two
| or three days, Internet access (usually at night) for 15-20kb,
| and the operator rounds up to a megabyte. Just like you, I turned
| off the data transfer in the phone, deleted the dots, everything
| was useless.
|
| https://pikabu.ru/story/troyanyi_i_byekdoryi_v_knopochnyikh_...
|
| The (a?) Russian seller has now recalled the phone:
|
| > DNS announces a recall campaign for two models of Dexp cell
| phones:
|
| > DEXP B281 2.8 "GSM / 2SIM / 240x320 / 0.3MP / MicroSD / BT / FM
| / 1000mAh > DEXP SD2810 2.8" GSM / 2SIM / 240x320 / 0.3MP /
| MicroSD / BT / FM / 1800mAh
|
| > due to possible manufacturing defect.
|
| https://www.dns-shop.ru/news/374ef223-0bc4-11ec-a2b1-00155db...
| [deleted]
| markus_zhang wrote:
| Guess I need to learn how to dump the firmware of a dumb phone
| eventually. Does anyone have any advice about this? I'm reading
| some articles but looks like "dumb phone" consists of a wide
| range of phones from authentic Nokia old timers to who-knows
| companies.
| Andrew_nenakhov wrote:
| Once I have bought a no-name tablet made in China that had
| malware installed in an unremovable 'browser' app. It was
| displaying ads on top of other apps, and was _installing new
| apps_ onto tablet, and also restoring deleted apps, and also
| installing false copies of well known apps. It was rather ok
| because i bought it with the intention of tearing it apart, but
| still, the lesson for me was, _NEVER_ enter sensitive personal
| data in devices of unknown origins.
| ronsor wrote:
| Hey, it technically was a browser app. It just lets the shady
| developers browse the contents of your tablet.
| userbinator wrote:
| Keep in mind that the devices from manufacturers which people
| usually "trust" more also have a similar, although less-
| blatantly-malicious, degree of disobeying you by default
| (silent automatic updates, unremovable system apps, etc.)
|
| You could root it, and that would actually give you full
| control to delete/install/modify whatever you want.
|
| I think the real lesson here is that if you do not have full
| control over a device, it is not truly yours and may disobey
| you.
| pessimizer wrote:
| I agree, this is basically how all tech companies work now.
| The only thing that holds it back is the outrage cycle, which
|
| a) only turns its spotlight on companies above a certain
| size/visibility,
|
| b) can be defeated with a large enough marketing/lobbying
| spend, and
|
| c) can be waited out by companies with other lines of
| business that bring in profits, and
|
| d) can be combated with cycles of withdrawing, quietly
| reintroducing, then withdrawing again, and reintroducing
| again until
|
| d1.) media outlets get bored with it, or
|
| d2.) all other companies in the same line start to do the
| same thing, a traditional way of price-fixing. Once this
| happens, the only way you'll be stopped is with legislation,
| because e.g. every TV has banner ad pop-ups from the
| manufacturer now.
| jmrm wrote:
| > every TV has banner ad pop-ups from the manufacturer now.
|
| AFAIK, Samsung and cheap Chinese brands (Vizio, TCL, and
| similar) do this.
|
| Months ago I was between buying a LG or a Sony because they
| don't have bad reputation around this, and the LG I finally
| bought haven't any ad. Also, cookies, extra internet stuff,
| and the Alexa service can be deactivated separately without
| affecting apps like Netflix
| Andrew_nenakhov wrote:
| Of a well-known manufacturers, I noticed Xiaomi to do some
| real shit: it had an app preinstalled that displayed ads
| above other apps. But at least when I identified the culprit,
| it was possible to remove it completely and the problem went
| away.
| kofejnik wrote:
| I had pretty much same experience with my Xiaomi phone (in
| my case, push ads were coming from a hidden non-removable
| xiaomi service)
| throw_nbvc1234 wrote:
| They're not the same though; these problems need to be looked
| at through a combination of ability (to exploit) and
| motivation. Apple/Google isn't going to try and steal your
| identity, bank account info, or numerous other "small" things
| that some unknown and unaccountable company selling malware
| infected hardware could do.
|
| It's like when people state that online voting should be safe
| because online banking is safe. I'm pretty sure if a nation
| state really wanted to steal a few grand from your
| (individual) bank account, they'd be able to do it. But it'd
| probably cost them more money/power in doing so then it's
| worth it.
| labster wrote:
| Online banking is safe because it is auditable and
| traceable. Voting has anonymity and chain-of-custody
| requirements that make doing it online extremely difficult.
| guerrilla wrote:
| You're moving the goalpost from what Andrew and the person
| responding said though. The Chinese phone is acting just
| like a Samsung phone, only a tad bit worse. The Russian
| phone and the ones you mention are of course another story
| like you say but that's not what you were responding to,
| which is a valid point.
| drran wrote:
| > Apple/Google isn't going to try and steal your identity,
| bank account info, or numerous other "small" things
|
| You can believe in that, and trust them, but you cannot
| prove that, unless you have access to the source of
| everything installed by Google/Apple, and source of third
| party apps, favored by Google/Apple. But, even if you're
| working for a government agency and have access to sources,
| it's still a monumental task to do, because of the volume
| of the sources. It's why we, Linux owners, were crying when
| trivial initd and trivial shell scripts, which are easy to
| read and understand in about an hour or two, were replaced
| by Systemd, which may take days just to read source.
| gnopgnip wrote:
| Apple, Amazon, Google are not going to steal your credit
| card, identity, bank account info because you could sue
| them, and because consumer protections agencies would
| pursue them. The same is not true if you buy a no name
| tablet with malware pre loaded
| google234123 wrote:
| > Linux owners, were crying when trivial initd and
| trivial shell scripts, which are easy to read and
| understand in about an hour or two, were replaced by
| Systemd
|
| Nah, most Linux owners didn't care and the fact that the
| most distribution voted with their feet to switch should
| say enough. Also, full init script were not trivial.
| pessimizer wrote:
| > Apple/Google isn't going to try and steal your identity,
| bank account info, or numerous other "small" things that
| some unknown and unaccountable company selling malware
| infected hardware could do.
|
| They all _could_ do it, but are you aware of any
| manufacturer-installed malware or rootkits on a device that
| have? They don 't steal your bank account info or
| impersonate you _ever_ as far as I know, they make money
| off you in the same way every other company does.
|
| If we can't show any instances, then it becomes difficult
| to find this materially worse than what other tech
| companies do. It becomes more like embarrassment from being
| owned by a obscure foreign company rather than a famous
| American one.
| Razengan wrote:
| > _They all could do it_
|
| That account name is apt. _Everybody -could-_ do it. Even
| your spouse, your best friend, your parents. They _could_
| all steal your shit. But for sanity's sake a balance has
| to be struck between trust and paranoia.
| krono wrote:
| The main difference, of course, being that your best
| friend is someone you could actually make having to face
| the legal consequences (and/or punch in the face).
|
| These oversized American corporations are practically
| untouchable to the majority of people. They'll pay their
| laughable fines, pinky promises to better self-regulate
| for real this time, and move on. Leaving you in the dirt.
| [deleted]
| orbital-decay wrote:
| Before a certain Android version it was pretty common for
| Aliexpress sellers to plant unremovable ads, third-party
| stores, and god knows what else into the otherwise clean
| firmware, to be able to sell the phone with a discount. They
| usually didn't deny it, or even genuinely wondered - what's
| wrong with it? You bought it for a cheaper price after all, you
| should be happy, the seller is happy, everyone is, have a nice
| day sir. (a real conversation I had years ago)
| Engineering-MD wrote:
| It is the potential of hardware compromise that concerns me.
| Software can be wiped, but if the hardware itself contains
| backdoors, software can then be install at any time.
| Furthermore, given the global supply system, its so hard to
| confirm that any hardware is not compromised.
| leephillips wrote:
| When I need to replace my phone, how to I make sure my next one
| has never entered Chinese-controlled territory at any stage of
| its manufacture--including all its components?
| mnd999 wrote:
| You can't.
| Engineering-MD wrote:
| Can you instead verify that each component is uncorrupted, a
| hardware hash function if you will? Looking at density,
| centre of gravity, weight, appearance, and/or radiographic
| imaging?
| 3r8Oltr0ziouVDM wrote:
| https://shop.puri.sm/shop/librem-5-usa ?
| leephillips wrote:
| $1,999: the cost of telephonic security. Looks good.
| Scoundreller wrote:
| > but connects online via GPRS behind the user's back and sends
| data to a remote server, including phone IMEI and IMSI codes.
|
| This could end up costing you an absolute fortune in Canada if
| you use data without a mobile plan.
|
| > The phone sends an SMS with the phone IMEI and IMSI codes to
| phone numbers hardcoded in the firmware.
|
| This could be fun.
| mdp2021 wrote:
| > _caught subscribing users to premium SMS services_
|
| If one thought of espionage...
|
| > _Also intercepts SMS confirmation messages and replies on
| behalf of the user_
|
| > _All the remote servers that received this activity were
| located in China_
| orbital-decay wrote:
| Espionage is highly unlikely since nobody important will buy
| cheapest of the cheap dumb phones. Most likely it's used for CC
| theft, spam, proxying, forcing unwanted paid subscriptions, and
| other scamming schemes. That DEXP is involved is especially
| interesting because it's a face brand for DNS, a large Russian
| retailer. While all these models are Chinese OEM phones with a
| label slapped on them and little to no modification otherwise,
| it's possible that DNS is involved.
|
| I also want to mention that "Russian hacker groups don't do
| cybercrime at home, and the state lets them do it abroad" meme,
| which half of HN seems to sincerely believe, is _extremely_
| misguided, and just sounds bizarre to anyone who follows the
| topic. There is a continuum of loosely related Russian-speaking
| criminals in Russia, Ukraine, Belarus, Kazakhstan, and Baltic
| States (mostly Lithuanian criminals who traditionally work as
| the EU bridge for others), and it 's always hard to tell who
| located where. Some of them have some ties with the Russian
| state (regardless of the country of origin), most don't.
| Domestic cybercrime is _rampant_ in Russia, often involves big
| names (such as top 3 mobile operators in Russia) and the mere
| notion it 's controlled in some way is ridiculous. The only
| issue is there's not much money to steal, so they turn to EU
| and US targets.
| ahsima1 wrote:
| Actually, considering the low pay and the rules, prohibiting
| snartphones at many russian defence companies, cheap dumb
| phones may be a great target for espionage.
| orbital-decay wrote:
| _> and the rules, prohibiting snartphones at many russian
| defence companies_
|
| In such companies, you typically leave any electronic
| devices on you (including watches) at the gate, from
| clocking in to clocking out. Nobody would care if your
| phone is dumb, it's still breaking the rule.
| ahsima1 wrote:
| Depends, some do indeed ban all electronic devices,
| others only ban smartphones and any devices with cameras.
| Probably after this incicident most of them will move
| towards the former policy.
| dantyti wrote:
| >mostly Lithuanian criminals who traditionally work as the EU
| bridge for others
|
| could you share any source for this?
| boomboomsubban wrote:
| >Espionage is highly unlikely since nobody important will buy
| cheapest of the cheap dumb phones
|
| I agree that this event is unlikely to be espionage, but
| someone important might buy a cheap dumb burner phone. I
| wouldn't put it past an intelligence agency to wholesale
| compromise cheap dumb phones for that reason.
| thriftwy wrote:
| According to the original article, DEXP has stopped selling
| these phones and is doing internal investigation.
|
| The real criminal here is Russia's big three (I would say,
| excluding MTS but including a new hot contender Tele2) who
| repeatedly rob vulnerable and elderly people via "paid
| content" schemas which have zero usefulness outside of scam.
| sys_64738 wrote:
| How do we never hear from the individuals who actually wrote the
| code to do these things? We be great to get an expose on the
| motivations and rationale for all these creeper spyware installed
| by rogue companies.
| srvmshr wrote:
| In Russia, you don't own a phone; the phone owns you
| coldtea wrote:
| So just like in the US?
| jdthedisciple wrote:
| Please -- evidence? (In case you're actually insinuating that
| the US has precedence, or even present cases, of sth. like
| this)
| [deleted]
| valparaiso wrote:
| Russia is already authoritarian state where people are jailed
| for no reason and USA is leaning towards it with left-
| extremists agenda.
| 3r8Oltr0ziouVDM wrote:
| Yes.
| Scoundreller wrote:
| Apple pulls some tricks like this with otherwise hidden-from-user
| SMSs.
|
| In France, some cheap SIM cards charge per mb and per SMS until
| you register a plan. So I carefully disabled mobile data, avoided
| SMS, loaded 10 EUR of credit over wifi, which 'activated' the
| phone on the network, but when I went to sign up for the 10 EUR
| plan, I found I only had 9,95 EUR left.
|
| As soon as credit was loaded, my iPhone sent an SMS ping to an
| Apple shortcode to tell iMessage my new number. The sending and
| record of this SMS was completely hidden from the user on the
| phone. Cue some he-said she-said with the carrier about whether I
| did or didn't send an SMS. Most mobile providers zero-rate
| shortcodes to Apple and hide it on their billing system too, but
| not Lebara.
|
| So I had to add 5 EUR more of credit just to buy the 10 EUR
| package for the month.
| uzakov wrote:
| Link to the original research https://habr.com/ru/post/575626/
| greenyoda wrote:
| Translation from Russian to English:
| https://translate.google.com/translate?hl=&sl=ru&tl=en&u=htt...
___________________________________________________________________
(page generated 2021-09-05 23:00 UTC)