Wednesday, April 24, 2024

Malware in Counterfeit Android Device Attack on WhatsApp and WhatsApp Business

Researchers from Doctor Web identified backdoors in the system partition of budget Android device models which targets WhatsApp and WhatsApp Business messaging apps. This malware could allow attackers to carry out various malicious activities.

“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web.

In this case, the affected devices are claimed to have modern and secure Android OS versions installed on them. Experts say they are based on an obsolete version subject to multiple vulnerabilities.

In July 2022, Doctor Web became aware of this malicious campaign only after several users contacted the company to report suspicious activity on their Android devices.

“Several users contacted Doctor Web’s anti-virus laboratory with complaints about suspicious activity on their Android smartphones”, Doctor Web.

Notably, Doctor Web Anti-Virus identified changes in the system storage area and in the appearance of the same malware in the system partition. Researchers say that the attacked devices were copycats of popular brand-name models.

The Affected Models

  • [«P48pro»]
  • [«radmi note 8»]
  • [«Note30u»]
  • [«Mate40»]

Researchers noticed that all devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of the latest OS versions. Moreover, the names of these models are consonant with the names of some of the models produced by famous manufacturers.

Dr.Web Anti-Virus Detected Changes in the Following Objects:

  • /system/lib/
  • /system/lib/

The object libcutils[.]so is a system library, which is harmless by design. But when it is used by any application, a trojan from the libmtd[.]so file is launched. Dr.Web detects the modified version of this system library as Android.BackDoor.3105.

Subsequently, libmtd[.]so the trojan library is called Android.BackDoor.3104, the actions it performs are based on which program is using the libcutils[.]so library. Therefore, if WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using it, Android.BackDoor.3104 carries on to the second stage of infection.

At this moment, the trojan copies another backdoor into the directory of the appropriate app and launches it. Researchers say the primary function of this component is downloading and installing additional malicious modules and this malware was added to the Dr.Web virus database as Android.Backdoor.854.origin.

This Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. The server sends a list of plugins that the trojan will download, decrypt and run. Thus it allows for reading chats, listening to phone calls, and conducting malicious activities.

“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules”, Doctor Web

Additionally, during the process, these trojans execute various Lua scripts which are used to download and install other software. It is just such a Trojan, Android.FakeUpdates.1.origin – that has been discovered on one of the targeted smartphones.

Finally, to stay away from these malicious malware activities, Doctor Web suggests users purchase mobile devices in official stores and from reputable distributors. It is essential to use anti-virus and install all available OS updates on the device.

Also, Dr.Web Security Space for Android successfully detects and (if root access is available) neutralizes the above-described trojans, curing infected devices.

Secure Azure AD Conditional Access – Download Free White Paper


Latest articles

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...

Rewards Up to $10 Million for Information on Iranian Hackers

The United States Justice Department has announced big rewards for information leading to the...

PoC Exploit Released For Critical Oracle VirtualBox Vulnerability

Oracle Virtualbox was identified and reported as having a critical vulnerability associated with Privilege...

Tracing the Steps of Cyber Intruders: The Path of Lateral Movement

When cyber attacks strike, it's rarely a single computer that suffers. Nowadays, cybercriminals set...

U.S. to Impose Visa Restrictions on 13 Individuals Involved in Commercial Spyware Operations

To combat the misuse of commercial spyware, the United States Department of State has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles