Researchers from Doctor Web discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. The malware targets WhatsApp and WhatsApp Business messaging apps and can allow attackers to conduct multiple malicious activities.
“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web. “The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.
Doctor Web became aware of the malicious campaign in July 2022, after several users contacted the security firm to report suspicious activity on their Android devices. The researchers discovered changes in the system storage area as well as the appearance of the same malicious code in the system partition of multiple models, including P48pro, radmi note 8, Note30u, and Mate40.
The experts noticed that all the devices were copycats of famous brand-name models, their names are consonant with the names of some of the models produced by popular manufacturers. Another circumstance discovered by the experts is all the devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of having one of the latest OS versions installed on them as reported in the device details.
Dr.Web researchers noticed changes in the “/system/lib/libcutils.so” and “/system/lib/libmtd.so” objects.
The object libcutils.so is a system library that has been modified in a way that when it is used by any application, a trojan tracked Android.BackDoor.3105 which is included in the libmtd.so file is executed.
If WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using the libmtd.so, it triggers the second stage of infection. The malware copies another backdoor into the directory of the appropriate app and launches it. Dr.Web researchers tracked this backdoor as Android.Backdoor.854.origin. This backdoor allows operators to download and install additional malicious modules.
“To download modules, Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. In response, the server sends a list of plugins that the trojan will download, decrypt and run.” reads the analysis. “The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules.”
If the wpa_supplicant system app (which allows controlling wireless connections) was involved in the launch of the backdoor, Android.BackDoor.3104 starts a local server. It allows a remote or local client to connect and operate in the “mysh” console application, which must first be installed on the device or initially present in its firmware.
According to the researchers, the malicious apps discovered in the system partition could belong to the FakeUpdates.
“Malicious actors embed them into various system components, like firmware updating software, the default settings app or the component responsible for the system graphical interface. While in operation, these trojans execute various Lua scripts that they particularly use to download and install other software. It is just such a trojan—Android.FakeUpdates.1.origin—that has been discovered on one of the targeted smartphones.” concludes Dr.Web.
To avoid the risk of becoming a victim of such malware attacks, experts recommend to purchase mobile devices only from official stores and legitimate distributors. They also highlight the importance of using antivirus software and keeping OS up to date.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Android)
[adrotate banner=”5″]
[adrotate banner=”13″]