An investigation by Upstream’s Secure-D platform found that pre-installed Android malware on a major Chinese brand of smartphones has been targeting users in Africa.
Researchers detected xHelper/Triada malware on thousands of devices between March 2019 and August 2020.
No ad to show here.
This Triada malware acts as a backdoor to download the xHelper trojan. Disguising itself as regular software, xHelper then submits subscription requests without the device owner knowing.
“When xHelper components were found in the right environment and connected to Wi-Fi or 3G network (e.g. inside a South African network), they made queries to find new subscription targets, and then proceeded to make fraudulent subscription requests,” Secure-D researchers said.
Most of the fraudulent transactions attempts came from devices in Ethiopia, Cameroon, Egypt, Ghana, and South Africa.
However, in many cases users did not install this malware themselves. Rather, it came pre-installed on the phones.
Which Android phones had the malware pre-installed?
The incidents covered in the report affect Tecno W2 devices, made by Chinese manufacturer Transsion Holdings.
Secure-D detected the issue last year when it blocked millions of fraudulent subscription requests from the malware.
Transsion Holdings — which makes Tecno, Infinix, and Itel smartphones — is the top selling mobile phone manufacturer in Africa.
“In the period under investigation, Secure-D detected and blocked nearly 800k xHelper suspicious requests from W2 devices. The persistent xHelper trojan was found on 53 000 W2 Transsion devices,” Secure-D said in its investigation findings.
During the investigation, researchers acquired both new and previously owned Tecno W2 phones.
As a result, researchers confirmed that the malware came with the new devices.
How did the malware get on the phones?
Google attributes the malware’s installation to a malicious actor somewhere in the supply chain. It’s a recurring issue that has appeared on different occasions.
“It is common that developers and manufacturers are usually unaware of the malware infection,” Secure-D notes.
Researchers did not find the malware on other phone models made by Transsion.
This also isn’t the first time that the malware has appeared pre-installed on budget Android devices. In 2019, a similar issue affected Alcatel handsets.
In fact, cybercriminals specifically target budget Android phones in certain markets.
“Cybercriminals see the devices as easier to compromise and convert into vectors for click fraud,” Secure-D says.
“Even though Triada is known for some time and various publications have warned about it as a backdoor threat, it remains active till today infecting users’ phone devices and facilitating mobile click fraud,” researchers add.
The malware is incredibly difficult to remove from devices — even with a factory reset of the phone. Luckily, fraud detection systems block most of these transactions.
However, Secure-D warns prepaid phone users in these markets to check their transaction history to see if any suspicious activity shows up.
You can read more on the findings on the Upstream website.
Feature image: Secure-D/Upstream