August 22, 2022

Doctor Web reports that it has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios. Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users. The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.

In July, several users contacted Doctor Web’s anti-virus laboratory with complaints about suspicious activity on their Android smartphones. In particular, Dr.Web Anti-Virus was detecting changes in the system storage area as well as the appearance of the same malware in the system partition. These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version.

At least 4 smartphone models were affected:

• «P48pro»
• «radmi note 8»
• «Note30u»
• «Mate40»

The names of these models are consonant with the names of some of the models produced by famous manufacturers. This, coupled with the false information about the installed OS version, de facto allows us to consider these devices as fakes.

Thanks to the system partition integrity-monitoring function and the ability to track file changes in this partition, Dr.Web Anti-Virus detected changes in the following objects:

• /system/lib/libcutils.so
• /system/lib/libmtd.so

The object libcutils.so is a system library, which is harmless by design. However, it has been modified in such a way that when it is used by any application, a trojan from the libmtd.so file is launched. Dr.Web detects the modified version of this system library as Android.BackDoor.3105.

The libmtd.so trojan library was dubbed Android.BackDoor.3104, in accordance with Doctor Web’s classification system. The actions it performs are based on which program is using the libcutils.so library (i.e., which of the apps actually led to the backdoor execution through this library). If WhatsApp and WhatsApp Business messengers or “Settings” and “Phone” system apps are using it, Android.BackDoor.3104 proceeds to the second stage of infection. Here, the trojan copies another backdoor into the directory of the appropriate app and launches it. This malware was added to the Dr.Web virus database as Android.Backdoor.854.origin. The main functionality of this component is downloading and installing additional malicious modules.

To download modules, Android.Backdoor.854.origin connects to one of several C&C servers, sending a request with a certain array of technical data about the device. In response, the server sends a list of plugins that the trojan will download, decrypt and run. The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules.

If the wpa_supplicant system app (which controls wireless connections) was involved in the trojan’s launch, Android.BackDoor.3104 starts a local server. It allows a remote or local client to connect and operate in the “mysh” console application, which must first be installed on the device or initially present in its firmware.

The most likely source of the malicious apps discovered in the system partition of the attacked devices could be a member of the Android.FakeUpdates trojan family, which has been known about for many years. Malicious actors embed them into various system components, like firmware updating software, the default settings app or the component responsible for the system graphical interface. While in operation, these trojans execute various Lua scripts that they particularly use to download and install other software. It is just such a trojan—Android.FakeUpdates.1.origin—that has been discovered on one of the targeted smartphones.

To avoid the risk of becoming a victim of these and other malicious programs, Doctor Web recommends that users purchase mobile devices in official stores and from reputable distributors. Using an anti-virus and installing all available OS updates is also important.

Dr.Web Security Space for Android successfully detects and (if root access is available) neutralizes the above-described trojans, curing infected devices, so these malicious apps do not pose a threat to our users.

Indicators of compromise

• More details on Android.Backdoor.854.origin
• More details on Android.BackDoor.3104
• More details on Android.BackDoor.3105
• More details on Android.FakeUpdates.1.origin

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download