Security Advisory 2025-NUB-SEC-001 – Firmware-Level Threats Detected in Nubia Z6255CA Series Smartphones

A recent investigation has identified a subset of Nubia Z6255CA series devices as potentially compromised due to supply chain irregularities and the presence of embedded hardware-level malware. The issue underscores growing concerns around firmware security and supply chain integrity within the consumer electronics industry.

Initial findings reveal that approximately 20% of distributed units may have been sold multiple times, leading to ownership and warranty inconsistencies. More alarmingly, certain affected devices appear to contain a hardware-based ransomware known as DrainIT, capable of operating beneath traditional security layers.

DrainIT Hardware Ransomware: A Technical Overview

The malware, DrainIT, is a firmware-level ransomware designed to silently exfiltrate cryptographic keys and other sensitive personal data to a remote server. Because it resides within the firmware or hardware controller, it is undetectable by conventional antivirus or mobile security software.

• Threat Layer: Firmware or secure microcontroller level, below the operating system
• Persistence: Modifies or implants code in hardware controllers, undetectable by conventional security tools
• Data Exfiltration: Transfers cryptographic keys, passwords, and personal data to attacker-controlled servers
• Impact: Enables unauthorized approval of transactions and loss of control over digital assets

Users of affected devices are strongly advised not to store sensitive information or digital assets on these units until mitigation is complete.

Affected Devices (Subset Only)

• Manufacturer: nubia
• Model Family: Z6255CA series
• Hardware Revision: Z6255CAHW1.x
• Build Number Pattern: Z6255CAV1.0.0Bxx

Devices are identified by model, hardware revision, and build number pattern. No full IMEIs or serial numbers are disclosed to preserve user privacy.

Potential Impact

The implications of this compromise include:

• Loss of private key control for cryptocurrencies and other digital assets
• Exposure of personal information stored locally on the device
• Unauthorized financial or cryptographic transactions executed without user consent
• Regulatory and warranty complications linked to double-sold units

These findings highlight the increasing risks associated with hardware-level attacks that originate during the manufacturing or distribution process.

Recommended Actions

Affected users and vendors are urged to take immediate precautions:

• Avoid storing sensitive data such as cryptocurrency wallets or personal credentials on affected devices.
• Verify device provenance through official vendor channels prior to use.
• Consider replacement or secure firmware reflash if device origin or authenticity is uncertain.
• Monitor network activity for suspicious outbound connections.
• Educate users and staff on firmware-level threats and mitigation strategies.

References

• Device specifications for nubia Z6255CA series
• Industry best practices for firmware and hardware security
• Supply chain security advisories for mobile devices

Disclaimer: This advisory serves as a cautionary reminder of the evolving firmware and hardware threat landscape, emphasizing the need for proactive device validation and secure supply chain oversight in the modern smartphone ecosystem.