Blog: Consumer Advice
Security flaws found in tiny phones promoted to children
TL;DR
- Three mini smartphones promoted to children were analysed
- Those devices are heavily promoted on TikTok
- All had outdated operating systems
- All could be rooted without wiping the phone, allowing data to be compromised with physical access
- One had malware artefacts pre-installed
- One had an application that allowed the changing of its IMEI
Why parents should be concerned
Smartphones have become an integral part of our lives, including those of our children. However, not all devices are created equal. Some pose significant security risks. Recently, we discovered that certain small-form budget smartphones, promoted to children, have serious security vulnerabilities. This post sheds light on the issues and provide parents with crucial information to protect their children from potential threats.
What phones did we investigate?
The phones were purchased from UK Amazon in July 2024 for £40 – £60. The devices can no longer be found easily there but are still available on eBay and AliExpress. Differentiating between the phones is difficult as there are lots of similarities and few physical differences.
Researching them online was difficult as manufacturer and product names are chaotic.
Because of their low price point they all had capacitive touch screens, making them awful to use.
SOYES S7
The SOYES S7, also referred to as the SOYES 7S for added confusion, is a discontinued mini phone. It only supports the 3G cellular network, has a 2.5-inch screen (that’s 6.4 cm in modern units), 8 GB of storage and is roughly credit card sized.
It comes with Android 6.0, which went out of support in August 2018.
ZOKOE XS13
Like the SOYES phone, the ZOKOE XS13 is a discontinued mini phone. On paper it looks very much the same as the SOYES phone, being 3G and a similar size. It does have twice the amount of storage (16 GB). The only real difference is that it runs Android 9.0, which went out of support in January 2022.
Hipipooo
The Hipippooo (yes, that is the correct number of o’s) is very similar to the ZOKOE phone, being 3G with 16 GB of storage and running Android 9.0.
Methods
We powered them up and did a basic set up for the default version of Android they ran, just as a regular user would.
We initially assessed the Android build of the phones to look for the version of the operating system installed and any default apps. To allow this we had to make changes to the phones, enabling the Android Debug Bridge (ADB).
As all three phones used a Mediatek MCU. It was possible to root them without causing a reset of the userdata partition by using the default Mediatek bootloader. This allowed a greater examination of the file system. This process could be used by any person with physical access to the phone.
As we could control the devices from a bootloader and Operating System level, we did not need to perform any hardware attacks.
Analysis
MediaTek chipset issue
All three phones are susceptible to local attacks due to vulnerabilities in the MediaTek chipsets that they use. These vulnerabilities make the devices exposed to exploits that can be executed locally. The tool used to exploit these vulnerabilities is called mtkclient. This tool allows attackers to leverage the weaknesses in the MediaTek chipsets to perform firmware alterations on the device.
Using the mtkclient tool, an attacker can read and write partitions on the device. This means they can potentially alter the firmware on the device. The ability to manipulate partitions on the device is especially concerning because it allows for a wide range of malicious activities, including rooting the device, installing spyware or creating backdoors for further exploitation.
The MediaTek chipsets’ vulnerabilities are particularly problematic because they affect a wide range of devices. Many budget and mid-range smartphones use MediaTek processors, making the scope of potential attacks broad and affecting millions of users globally.
SOYES S7
Artefacts identified on the SOYES S7 shares strong similarities with the Domino malware family, a preinstalled hostile downloader discovered on certain low-cost Android devices. The presence of smsdamon and smsservice binaries indicates that remnants of this malware are still on the device.
For clarity, Domino malware was found preinstalled on some Android devices, particularly those running Android 7 or lower. This malware uses system privileges to download additional applications and prevent their uninstallation by the user. It modified several Android components, including the default browser and the Settings app, to perform various malicious activities.
The binaries found on the phone smsdamon and smsservice, play specific roles within the malware framework:
- smsdamon: Manages configurations, communicates with command and control (C&C) servers, and performs fake SMS activity.
- smsservice: Displays advertisements and installs applications based on responses from the C&C servers.
These binaries use HTTP endpoints on the C&C server for their operations:
- /bus-webapi/rest/service/mzc
- /ymlist.txt
- /bus-webapi/rest/service/strategy
The smsdamon binary manipulates the SMS database to add fake messages, which might be used for spamming or phishing. It stores configurations and Command and Control (‘C&C’) information in an SQLite database, which includes phone information and advertisement configurations.
The smsservice binary is responsible for displaying advertisements and installing applications without user interaction, exploiting the elevated privileges granted to the malware. This allows the malware to execute commands that typically require user consent, making it harder to detect and remove.
The Settings app on devices affected by Domino malware had their manifests modified to include metadata pointing to C&C servers. This modification allows the malware to persist and operate with elevated privileges. For example:
<meta-data android:name="BASE_B_URL" android:value="http://bus.dominoppo.in"/>
<meta-data android:name="BASE_A_URL" android:value="http://psd.dominoppo.site"/>
These URLs are part of the command-and-control infrastructure used by the malware to receive instructions and download additional payloads.
Although the malware binaries on the phone (smsdamon and smsservice) appear inactive, their presence indicates that the device was, or may still be, compromised. This could be due to an artifact from a previous operating system version or an incomplete malware removal. Although other binaries outlined are not present, the active components can still pose significant risks, such as unauthorised SMS activity and potential data leaks.
ZOKOE xs13
The ZOKOE xs13 had an app named engineermode. This could change the International Mobile Equipment Identity (IMEI) of the device. The IMEI is a unique identifier assigned to mobile phones. This number is used to distinguish each device on a mobile network. It is typically used for various security purposes, including tracking stolen phones and authenticating devices on a network.
The presence of an app that can alter the IMEI is concerning for many reasons. Firstly, changing the IMEI can undermine the security measures put in place by mobile networks and regulatory bodies. The IMEI acts as a fingerprint for the phone and altering it can help malicious actors avoid detection and continue using a stolen device or engage in fraudulent activities without being traced.
From a technical perspective, altering the IMEI requires access to certain low-level functions of the phone’s hardware and firmware. This level of access is usually restricted and protected by the device’s operating system and hardware manufacturers to prevent unauthorised modifications. An app capable of changing the IMEI indicates a significant breach of these security measures.
The ability to change the IMEI can have serious legal implications. Many jurisdictions consider tampering with the IMEI to be illegal due to its potential use in criminal activities, such as evading law enforcement, circumventing carrier restrictions, and facilitating the sale of black-market phones. Therefore, possessing or distributing such an application can lead to legal consequences for the individuals involved.
Please note that we did not attempt to change the IMEI to determine if it was possible, as this may render the phone unusable or potentially break the law.
Hipipooo
The Hipipooo phone, despite having a silly name that must have affected sales volumes, did not have any immediately obvious security flaws, other than those associated with running an old Android version and hardware issues.
Conclusion
Every post or article we see about cheap consumer electronics (including our own) always comes with the warning “buyer beware” and “you get what you pay for”. These devices were obviously low quality and deep at the bottom end part of the market. That said, they were quite expensive for budget phones.
It’s hard to say anything good about them, even from a usability perspective. The cheap touchscreen made them hard to use, the old versions of the operating system would provide little support for popular apps, and they didn’t have much processing power.
From a security perspective it’s a disaster, they all run an ancient operating system. If you chose the wrong device you might even get some free malware!
In short, don’t waste your money. Buy a more up to date phone from a trusted manufacturer, and apply the family security settings in Android and iOS.
