The IT security researchers at Doctor Web have identified that many budget Android device models, which are counterfeited versions of popular models from different smartphone brands, contain backdoors and target WhatsApp accounts and WhatsApp Business messaging apps.
According to Doctor Web’s research, at least four smartphone models, including Redmi note 8, P48pro, Mate40, and Note30u, were harboring malware. The discovery was made in July 2022, and malware was found in system partitions of these smartphones.
The names of these models are consonant with the names of some of the models produced by famous manufacturers. This, coupled with the false information about the installed OS version, de facto allows us to consider these devices as fakes.Dr.Web
It is worth noting that these devices are marketed as containing the securest Android operating system version, such as Android 10. However, in reality, these contain an obsolete version, for example, Android 4.4.2, which contains multiple security vulnerabilities.
How was it Detected?
According to Doctor Web’s report, in July, their anti-virus lab received several complaints about dubious activities on their Android devices. The company’s anti-virus also started detecting changes in the system storage and noticed malware appearing in the system partition.
The targeted devices turned out to e counterfeited versions of popular smartphone brand names, and their names aligned with the original models’ names. Plus, the phones contained outdated OS versions, which further validated that the devices were fakes. Doctor Web’s anti-virus identified changes in the following objects:
The changes were detected using its system partition integrity-monitoring feature and ability to see file changes in partitions. These files were modified so that when an app used the libcutils.so system library, it triggered a trojan already incorporated in the file.
If the app was WhatsApp or WhatsApp Business, the file launched a third backdoor that downloaded/installed new plugins from a remote server onto the compromised phone. These backdoors and modules functioned in such a way that they became a part of the app.
Doctor Web researchers believe the system partition implants may be linked to the FakeUpdates or SocGholish malware family. This malware can exfiltrate extensive metadata about the targeted device and download/install other software via Lua scripts without alerting the user.
Furthermore, the trojans embedded in the phones can target arbitrary code execution in WhatsApp accounts and can be utilized in a wide range of attack scenarios such as chat interception and stealing sensitive private data. Moreover, the malware can launch numerous scam campaigns.
To avoid using infected phones, purchase smartphones or other handheld devices from authentic distributors or official stores only.
- Low-cost Android Smartphones Shipped with Malicious Firmware
- Shoe giveaway scam hits Android users with malware on Play Store
- Fake reviews & third-party apps cause 50% of threats against Android
- Nasty malware duo pre-installed on thousands of cheap Android phones
- Pre-installed Trojan in Cheap Android Devices Steal Data, Intercept Chats