Android knock-offs used by threat actors to target WhatsApp messages


Cheap and insecure Android cellphone counterfeits are being exploited by crooks to spy on chats in WhatsApp and steal confidential information from them, according to recent findings from a cybersecurity analyst.

Doctor Web said it had “discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models.”

ADVERTISEMENT

At least four counterfeited smartphone models – “P48pro,” “Radmi note 8,” “Note30u,” and “Mate40” – have been affected by the bug, which allowed threat actors to deploy trojans against WhatsApp users.

“These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios,” said Doctor Web. “Among them is the interception of chats and the theft of the confidential information that could be found in them. This malware can also execute spam campaigns and various scams.”

But it warned that the infected devices themselves also pose a risk to users, because their vendors fraudulently claim they have “a modern and secure Android OS [operating system] installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.”

Buyer beware

Doctor Web carried out the investigation that led to the discovery after receiving tip-offs last month from users of the Android smartphones, who complained of “suspicious activity” on their handsets. The cybersecurity firm’s antivirus program subsequently detected irregular changes and malware in the smartphones’ systems.

It added: “These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details – for example, Android 10 – they had the long outdated 4.4.2 version.”

Doctor Web said the coupling of authentic-sounding brand names with outdated operating systems and false information about their efficacy led it to conclude that the infected devices were fakes. It urged users to purchase mobile phones from official retailers to avoid falling foul “of these and other malicious programs” and to use up-to-date OS and reputable antivirus software.

It added that the most likely origin of the malware discovered in the hacked devices was the Android.FakeUpdates family of trojans, which it has observed for years.

ADVERTISEMENT

“Malicious actors embed them into various system components, like firmware updating software, the default settings app, or the component responsible for the system graphical interface,” said Doctor Web. “While in operation, these trojans execute scripts to download and install other software.”