Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Backdoors Found on Counterfeit Android Phones

Russian cybersecurity firm Doctor Web has identified multiple backdoors on the system partitions of several Android devices that are counterfeit versions of popular phones.

Russian cybersecurity firm Doctor Web has identified multiple backdoors on the system partitions of several Android devices that are counterfeit versions of popular phones.

The identified smartphones – all pretending to be popular brand-name models such as P48pro, Redmi Note 8, Note30u, and Mate40 – are budget phones powered by an obsolete operating system version (Android 4.4.2), while pretending to run a more recent platform iteration.

Running an older Android version represents in itself a security risk, considering the large number of vulnerabilities that Google has been addressing every month over the past several years.

On top of that, Doctor Web discovered on the system partitions of these devices modified libraries designed to launch malware when in use by any application.

Specifically, the libcutils.so library was modified to launch a trojan from libmtd.so when used. If used by WhatsApp, WhatsApp Business, Settings, or phone system apps, the trojan would proceed with dropping a second-stage payload.

The main purpose of the dropped payload, which Doctor Web detects as a backdoor, is to fetch additional malicious modules from a remote server and to execute them on the infected device.

According to Doctor Web, the malware and the modules were designed in such a manner that they become part of the targeted apps.

“As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules,” the cybersecurity firm says.

Doctor Web also discovered that, should the wpa_supplicant system app (which controls wireless connections) be calling the modified library, the libmtd.so trojan library would start a local server, to enable a client to connect and operate in the ‘mysh’ console application.

According to the security firm, the malicious applications were dropped on the infected devices via a ‘FakeUpdates’ trojan typically embedded into system components such as software responsible for firmware updates, the system’s graphical interface, or the default settings app.

“While in operation, these trojans execute various Lua scripts that they particularly use to download and install other software,” Doctor Web notes.

Related: ‘Octo’ Android Trojan Allows Cybercrooks to Conduct On-Device Fraud

Related: SharkBot Android Malware Continues Popping Up on Google Play

Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.