{"id":18973,"date":"2021-10-15T17:03:16","date_gmt":"2021-10-15T13:03:16","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/dangerous-feature-phones\/18973\/"},"modified":"2021-10-15T17:03:16","modified_gmt":"2021-10-15T13:03:16","slug":"dangerous-feature-phones","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/dangerous-feature-phones\/18973\/","title":{"rendered":"Dangerous feature phones"},"content":{"rendered":"

A recent review of five entry-level mobile phones retailing for about $10\u2013$20 examined their security in detail<\/a>. Commonly referred to as \u201cfeature phones\u201d or \u201cgranny phones\u201d \u2014 and often procured for elderly relatives either unwilling or unable to get used to smartphones \u2014 such phones can also be \u201cjust in case\u201d spares. Some people also believe they are safer than Android-powered smartphones.<\/p>\n

Well, the reviewer refuted that last bit. He discovered hidden functions in four out of the five phones: Two transmit data at first power up (leaking the new owner\u2019s personal information), and the other two not only leak private data, but can also subscribe the user to paid content by secretly communicating over the Internet with a command server.<\/p>\n

Infected granny phones<\/h2>\n

The study author offers information about the methods used to analyze these simple devices\u2019 firmware, the technicalities of which may be interesting to those willing to repeat the same analysis. However, let\u2019s get straight to the findings.<\/p>\n

Out of the five phones, two send the user\u2019s data somewhere the first time they\u2019re powered on. To whom the data goes \u2014 manufacturer, distributor, firmware developer, or somebody else \u2014 is not clear. Neither is it clear how the data may be used. It could be assumed that such data might be useful to monitor sales or control the distribution of batches of products in different countries. To be clear, it doesn\u2019t sound very dangerous; and after all, every smartphone transmits some telemetry data.<\/p>\n

Remember, however, that all major smartphone manufacturers at least try to anonymize the data they collect, and its destination is usually more or less clear. In this case, however, nothing is known about who is collecting owners\u2019 sensitive information without their consent. For example, one of the phones transmits not only its serial number, country of activation, firmware info, and language, but also the base station identifier, handy for establishing the user\u2019s approximate location.<\/p>\n

Moreover, the server collecting the data has no protection whatsoever, so the information is basically up for grabs. One more subtlety: The transmission takes place over the Internet. To be clear, a feature phone user may not even be aware that the device can go online. So, apart from anything else, the covert actions may result in surprise mobile traffic charges.<\/p>\n

Another phone from the review group, apart from leaking user data, was programmed to steal money from its owner. According to firmware analysis, the phone contacted the command server over the Internet and executed its instructions, including sending hidden text messages to paid numbers.<\/p>\n

The next phone model had even more advanced malicious functionality. According to one actual phone user, a total stranger used the phone number to sign up for Telegram. How could that have happened? Signing up for almost any messaging app means providing a phone number to which a confirmation code is sent by SMS. It seems, however, the phone can intercept this message and forward the confirmation code to a C&C server, all the while concealing the activity from the owner. Whereas the previous examples involved little more than unforeseen expense, this scenario threatens real legal problems, for example should the account be used for any criminal activities.<\/p>\n

What should I do now that I know push-button phones are unsafe?<\/h2>\n

The difference between modern low-end phones and their counterparts of 10 years ago is that now, even dirt-cheap circuitry can include Internet access. Even with an otherwise clean device, this may prove an unpleasant discovery: a phone chosen specifically for its inability to connect to the Internet goes online anyway.<\/p>\n

Earlier, the same researcher analyzed another push-button phone<\/a>. Although he found no malicious functionality, the device had a menu of paid subscriptions for horoscopes and demo games, the full versions of which the user could unlock \u2014 and pay for \u2014 with a text. In other words, your elderly relative or child could press the wrong button on a phone purchased specifically for its lack of Internet and apps and end up paying for the mistake.<\/p>\n

What makes this \u201cinfected\u201d mobiles story important is that it\u2019s often the manufacturer or a dealer back in China adding the \u201cextra features,\u201d so local distributors may not even be aware of the problem. Another complicating factor is that push-button phones come in small batches in a multitude of different models, and it is hard to tell a normal phone from a compromised one, unless one can thoroughly investigate firmware. Clearly, not all distributors can afford adequate firmware control.<\/p>\n

It might be easier just to buy a smartphone. Of course, that depends on budget, and unfortunately, cheaper smartphones may have similar malware issues<\/a>. But if you can afford one \u2014 even a very simple one \u2014 from a major manufacturer, it could prove a safer choice, especially if your reason for choosing a push-button device is that you\u2019re looking for something simple, reliable, and free of hidden functions. You can mitigate Android risks with a reliable antivirus app<\/a>; feature phones offer no such control.<\/p>\n

As for elderly relatives, if they\u2019re used to answering calls by opening their flip phone, adapting to a touch screen may prove next to impossible, but upgrading is worth a try in our opinion. Plenty of older folks have switched to smartphones<\/a> easily enough and can now happily experience the wide world of mobile computing.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Just like many other modern devices, seemingly \u201cdumb\u201d feature phones are much smarter than you might think. And this may be a problem.<\/p>\n","protected":false},"author":665,"featured_media":18974,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1486],"tags":[426,97,46,692],"class_list":{"0":"post-18973","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-mobile-devices","9":"tag-security-2","10":"tag-sms","11":"tag-trojans"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/dangerous-feature-phones\/18973\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/dangerous-feature-phones\/23496\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/dangerous-feature-phones\/25573\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/dangerous-feature-phones\/23645\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/dangerous-feature-phones\/23111\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/dangerous-feature-phones\/26255\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/dangerous-feature-phones\/25801\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/dangerous-feature-phones\/31710\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/dangerous-feature-phones\/10174\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/dangerous-feature-phones\/42466\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/dangerous-feature-phones\/17901\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/dangerous-feature-phones\/18296\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/dangerous-feature-phones\/15421\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/dangerous-feature-phones\/27586\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/dangerous-feature-phones\/31829\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/dangerous-feature-phones\/27728\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/dangerous-feature-phones\/24487\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/dangerous-feature-phones\/29848\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/dangerous-feature-phones\/29646\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/mobile-devices\/","name":"mobile devices"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18973"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18973\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18974"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}