WhatsApp-spying virus found infesting knock-off Android smartphones
Doctor Web security researchers have identified at least four counterfeit Android smartphones with trojan malware in the system partition that targets WhatsApp and WhatsApp Business.
“These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios.”
“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes,” Doctor Web said.
The security vendor said it was alerted to the malicious software when users reported suspicious activity on their Android smartphones in July.
It found the devices misled users by claiming they run on Android 10, but Dr Web discovered all the affected devices were running Android 4.4.2.
The four knock-off Android smartphones affected were as follows:
- P48pro
- radmi note 8
- Note30u
- Mate40
Notably, their names are suspiciously similar to the model number of well-respected brands like Huawei, Xiaomi, and Samsung. However, these devices have nothing to do with those companies.
“The names of these models are consonant with the names of some of the models produced by famous manufacturers.”
“This, coupled with the false information about the installed OS version, de facto allows us to consider these devices as fakes,” Dr Web said.
Two files in the system partition of these devices, “/system/lib/libcutils.so” and “/system/lib/libmtd.so” are modified to open various backdoors on a device.
When the libcutils.so is used by any application, it launches a trojan from the libmtd.so file.
“The actions [the libmtd.so trojan library] performs are based on which program is using the libcutils.so library.”
“If WhatsApp and WhatsApp Business messengers or ‘Settings’ and ‘Phone’ system apps are using it, … the trojan copies another backdoor into the directory of the appropriate app and launches it.”
The security researchers said this backdoor is primarily responsible for downloading and installing additional malicious modules.
“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps.”
“As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules,” Doctor Web said.
Doctor Web advised that consumers purchase smartphones from reputable distributors and official stores, keep software updated, and install anti-virus to avoid falling victim to backdoors.