Monday, July 15, 2024

Malware in Counterfeit Android Device Attack on WhatsApp and WhatsApp Business

Researchers from Doctor Web identified backdoors in the system partition of budget Android device models which targets WhatsApp and WhatsApp Business messaging apps. This malware could allow attackers to carry out various malicious activities.

“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web.

In this case, the affected devices are claimed to have modern and secure Android OS versions installed on them. Experts say they are based on an obsolete version subject to multiple vulnerabilities.

In July 2022, Doctor Web became aware of this malicious campaign only after several users contacted the company to report suspicious activity on their Android devices.

“Several users contacted Doctor Web’s anti-virus laboratory with complaints about suspicious activity on their Android smartphones”, Doctor Web.

Notably, Doctor Web Anti-Virus identified changes in the system storage area and in the appearance of the same malware in the system partition. Researchers say that the attacked devices were copycats of popular brand-name models.

The Affected Models

  • [«P48pro»]
  • [«radmi note 8»]
  • [«Note30u»]
  • [«Mate40»]

Researchers noticed that all devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of the latest OS versions. Moreover, the names of these models are consonant with the names of some of the models produced by famous manufacturers.

Dr.Web Anti-Virus Detected Changes in the Following Objects:

  • /system/lib/
  • /system/lib/

The object libcutils[.]so is a system library, which is harmless by design. But when it is used by any application, a trojan from the libmtd[.]so file is launched. Dr.Web detects the modified version of this system library as Android.BackDoor.3105.

Subsequently, libmtd[.]so the trojan library is called Android.BackDoor.3104, the actions it performs are based on which program is using the libcutils[.]so library. Therefore, if WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using it, Android.BackDoor.3104 carries on to the second stage of infection.

At this moment, the trojan copies another backdoor into the directory of the appropriate app and launches it. Researchers say the primary function of this component is downloading and installing additional malicious modules and this malware was added to the Dr.Web virus database as Android.Backdoor.854.origin.

This Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. The server sends a list of plugins that the trojan will download, decrypt and run. Thus it allows for reading chats, listening to phone calls, and conducting malicious activities.

“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules”, Doctor Web

Additionally, during the process, these trojans execute various Lua scripts which are used to download and install other software. It is just such a Trojan, Android.FakeUpdates.1.origin – that has been discovered on one of the targeted smartphones.

Finally, to stay away from these malicious malware activities, Doctor Web suggests users purchase mobile devices in official stores and from reputable distributors. It is essential to use anti-virus and install all available OS updates on the device.

Also, Dr.Web Security Space for Android successfully detects and (if root access is available) neutralizes the above-described trojans, curing infected devices.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles