Thursday, March 28, 2024

Malware in Counterfeit Android Device Attack on WhatsApp and WhatsApp Business

Researchers from Doctor Web identified backdoors in the system partition of budget Android device models which targets WhatsApp and WhatsApp Business messaging apps. This malware could allow attackers to carry out various malicious activities.

“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.” reads the post published by Doctor Web.

In this case, the affected devices are claimed to have modern and secure Android OS versions installed on them. Experts say they are based on an obsolete version subject to multiple vulnerabilities.

In July 2022, Doctor Web became aware of this malicious campaign only after several users contacted the company to report suspicious activity on their Android devices.

“Several users contacted Doctor Web’s anti-virus laboratory with complaints about suspicious activity on their Android smartphones”, Doctor Web.

Notably, Doctor Web Anti-Virus identified changes in the system storage area and in the appearance of the same malware in the system partition. Researchers say that the attacked devices were copycats of popular brand-name models.

The Affected Models

  • [«P48pro»]
  • [«radmi note 8»]
  • [«Note30u»]
  • [«Mate40»]

Researchers noticed that all devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of the latest OS versions. Moreover, the names of these models are consonant with the names of some of the models produced by famous manufacturers.

Dr.Web Anti-Virus Detected Changes in the Following Objects:

  • /system/lib/libcutils.so
  • /system/lib/libmtd.so

The object libcutils[.]so is a system library, which is harmless by design. But when it is used by any application, a trojan from the libmtd[.]so file is launched. Dr.Web detects the modified version of this system library as Android.BackDoor.3105.

Subsequently, libmtd[.]so the trojan library is called Android.BackDoor.3104, the actions it performs are based on which program is using the libcutils[.]so library. Therefore, if WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using it, Android.BackDoor.3104 carries on to the second stage of infection.

At this moment, the trojan copies another backdoor into the directory of the appropriate app and launches it. Researchers say the primary function of this component is downloading and installing additional malicious modules and this malware was added to the Dr.Web virus database as Android.Backdoor.854.origin.

This Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. The server sends a list of plugins that the trojan will download, decrypt and run. Thus it allows for reading chats, listening to phone calls, and conducting malicious activities.

“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules”, Doctor Web

Additionally, during the process, these trojans execute various Lua scripts which are used to download and install other software. It is just such a Trojan, Android.FakeUpdates.1.origin – that has been discovered on one of the targeted smartphones.

Finally, to stay away from these malicious malware activities, Doctor Web suggests users purchase mobile devices in official stores and from reputable distributors. It is essential to use anti-virus and install all available OS updates on the device.

Also, Dr.Web Security Space for Android successfully detects and (if root access is available) neutralizes the above-described trojans, curing infected devices.

Secure Azure AD Conditional Access – Download Free White Paper

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles