Researchers from Doctor Web identified backdoors in the system partition of budget Android device models which targets WhatsApp and WhatsApp Business messaging apps. This malware could allow attackers to carry out various malicious activities.
“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web.
In this case, the affected devices are claimed to have modern and secure Android OS versions installed on them. Experts say they are based on an obsolete version subject to multiple vulnerabilities.
In July 2022, Doctor Web became aware of this malicious campaign only after several users contacted the company to report suspicious activity on their Android devices.
“Several users contacted Doctor Web’s anti-virus laboratory with complaints about suspicious activity on their Android smartphones”, Doctor Web.
Notably, Doctor Web Anti-Virus identified changes in the system storage area and in the appearance of the same malware in the system partition. Researchers say that the attacked devices were copycats of popular brand-name models.
The Affected Models
- [«P48pro»]
- [«radmi note 8»]
- [«Note30u»]
- [«Mate40»]
Researchers noticed that all devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of the latest OS versions. Moreover, the names of these models are consonant with the names of some of the models produced by famous manufacturers.
Dr.Web Anti-Virus Detected Changes in the Following Objects:
- /system/lib/libcutils.so
- /system/lib/libmtd.so
The object libcutils[.]so is a system library, which is harmless by design. But when it is used by any application, a trojan from the libmtd[.]so file is launched. Dr.Web detects the modified version of this system library as Android.BackDoor.3105.
Subsequently, libmtd[.]so the trojan library is called Android.BackDoor.3104, the actions it performs are based on which program is using the libcutils[.]so library. Therefore, if WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using it, Android.BackDoor.3104 carries on to the second stage of infection.
At this moment, the trojan copies another backdoor into the directory of the appropriate app and launches it. Researchers say the primary function of this component is downloading and installing additional malicious modules and this malware was added to the Dr.Web virus database as Android.Backdoor.854.origin.
This Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. The server sends a list of plugins that the trojan will download, decrypt and run. Thus it allows for reading chats, listening to phone calls, and conducting malicious activities.
“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules”, Doctor Web
Additionally, during the process, these trojans execute various Lua scripts which are used to download and install other software. It is just such a Trojan, Android.FakeUpdates.1.origin – that has been discovered on one of the targeted smartphones.
Finally, to stay away from these malicious malware activities, Doctor Web suggests users purchase mobile devices in official stores and from reputable distributors. It is essential to use anti-virus and install all available OS updates on the device.
Also, Dr.Web Security Space for Android successfully detects and (if root access is available) neutralizes the above-described trojans, curing infected devices.
Secure Azure AD Conditional Access – Download Free White Paper
