Not everyone can afford high-end mobile devices, especially those belonging to brands like Samsung or Apple. Fortunately for those on budget, they can find counterfeit Android device models for cheaper prices. However, in some cases, convenience comes with a high price – the users’ privacy.
Researchers found that several devices of the sort have been hosting multiple trojans designed for one thing only – to infiltrate WhatsApp and WhatsApp Business messaging apps.
The infiltration process is quite sophisticated, and it all lies in a couple of files. Once the user uses the system file, it triggers the execution of the trojan. So, how does it work? What are the devices spreading these trojans? Find out below.
Counterfeit Android Devices – Same Design with a Dash of Maliciousness
Using Android phones to target users has become a popular scheme among threat actors in the past few months. In fact, a few weeks back, Google Play Store was in the spotlight for spreading malware through various applications.
As we mention, look-alike smartphones are well crafted to suit people on a budget. There might be a slight difference, especially when it comes to performance, but they get the job done.
However, due to their high demand, these specific phones/mobiles have become a direct way for cybercriminals to perform their malicious practices.
According to Doctor Web, several counterfeit Android devices are being used as hosts for trojans that can easily infiltrate the users’ WhatsApp and WhatsApp Business messaging apps (PS: Not the first time WhatsApp has been targeted). Here’s what the study states:
“Doctor Web reports that it has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models.
These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios.
Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users.
The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.”
So here’s how the process goes down. It all lies in the “/system/lib/libcutils.so” and “/system/lib/libmtd.so” files. The actors behind this have modified them so that when any app uses the libcutils.so system library, the trojan within libmtd.so is executed.
If these apps happen to be WhatsApp and WhatsApp Business, the trojan creates a third backdoor that later downloads and installs additional plugins onto the compromised devices.
A Huge Risk – 4 Known Models
The security research firm had several complaints from users claiming that there was some sort of irregular activities on their smartphones.
Well, these phones are copycats of famous brand-name models, which as we mentioned, might have inferior functionalities. What’s alarming, though, is that the devices are very outdated in terms of Operating systems.
Instead of having the latest OS versions, these models are operating on the long outdated 4.4.2 version. According to the report, the following are the models that are hosting trojans:
- «radmi note 8»
Now, the question is: Once the trojan does its job, what can the attackers do? Easy, they can gain access to the attacked apps’ files, send spam, intercept calls, read messages, and so much more.
A Replica in Form, A Risk to Privacy in Action
When it comes to owning a mobile device, it’s always recommended to get the real thing. That way, you can ensure no malicious surprises are waiting for you once it’s turned on.
Having trojans that lead to privacy concerns on your device is pretty common. However, if you’re using a device with a reputable brand, its security measures alone can help prevent this predicament.
Finally, if you have no choice but to purchase a replica, at least make sure an anti-virus tool is installed. That way it can detect any installed malware and eliminate the threat at once.