Friday, February 7, 2025
Homecyber securityMalware in Counterfeit Android Device Attack on WhatsApp and WhatsApp Business

Malware in Counterfeit Android Device Attack on WhatsApp and WhatsApp Business

Published on

SIEM as a Service

Follow Us on Google News

Researchers from Doctor Web identified backdoors in the system partition of budget Android device models which targets WhatsApp and WhatsApp Business messaging apps. This malware could allow attackers to carry out various malicious activities.

“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web.

In this case, the affected devices are claimed to have modern and secure Android OS versions installed on them. Experts say they are based on an obsolete version subject to multiple vulnerabilities.

In July 2022, Doctor Web became aware of this malicious campaign only after several users contacted the company to report suspicious activity on their Android devices.

“Several users contacted Doctor Web’s anti-virus laboratory with complaints about suspicious activity on their Android smartphones”, Doctor Web.

Notably, Doctor Web Anti-Virus identified changes in the system storage area and in the appearance of the same malware in the system partition. Researchers say that the attacked devices were copycats of popular brand-name models.

The Affected Models

  • [«P48pro»]
  • [«radmi note 8»]
  • [«Note30u»]
  • [«Mate40»]

Researchers noticed that all devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of the latest OS versions. Moreover, the names of these models are consonant with the names of some of the models produced by famous manufacturers.

Dr.Web Anti-Virus Detected Changes in the Following Objects:

  • /system/lib/libcutils.so
  • /system/lib/libmtd.so

The object libcutils[.]so is a system library, which is harmless by design. But when it is used by any application, a trojan from the libmtd[.]so file is launched. Dr.Web detects the modified version of this system library as Android.BackDoor.3105.

Subsequently, libmtd[.]so the trojan library is called Android.BackDoor.3104, the actions it performs are based on which program is using the libcutils[.]so library. Therefore, if WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using it, Android.BackDoor.3104 carries on to the second stage of infection.

At this moment, the trojan copies another backdoor into the directory of the appropriate app and launches it. Researchers say the primary function of this component is downloading and installing additional malicious modules and this malware was added to the Dr.Web virus database as Android.Backdoor.854.origin.

This Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. The server sends a list of plugins that the trojan will download, decrypt and run. Thus it allows for reading chats, listening to phone calls, and conducting malicious activities.

“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules”, Doctor Web

Additionally, during the process, these trojans execute various Lua scripts which are used to download and install other software. It is just such a Trojan, Android.FakeUpdates.1.origin – that has been discovered on one of the targeted smartphones.

Finally, to stay away from these malicious malware activities, Doctor Web suggests users purchase mobile devices in official stores and from reputable distributors. It is essential to use anti-virus and install all available OS updates on the device.

Also, Dr.Web Security Space for Android successfully detects and (if root access is available) neutralizes the above-described trojans, curing infected devices.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...