Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Backdoors Found on Counterfeit Android Phones

Russian cybersecurity firm Doctor Web has identified multiple backdoors on the system partitions of several Android devices that are counterfeit versions of popular phones.

Russian cybersecurity firm Doctor Web has identified multiple backdoors on the system partitions of several Android devices that are counterfeit versions of popular phones.

The identified smartphones – all pretending to be popular brand-name models such as P48pro, Redmi Note 8, Note30u, and Mate40 – are budget phones powered by an obsolete operating system version (Android 4.4.2), while pretending to run a more recent platform iteration.

Running an older Android version represents in itself a security risk, considering the large number of vulnerabilities that Google has been addressing every month over the past several years.

On top of that, Doctor Web discovered on the system partitions of these devices modified libraries designed to launch malware when in use by any application.

Specifically, the libcutils.so library was modified to launch a trojan from libmtd.so when used. If used by WhatsApp, WhatsApp Business, Settings, or phone system apps, the trojan would proceed with dropping a second-stage payload.

The main purpose of the dropped payload, which Doctor Web detects as a backdoor, is to fetch additional malicious modules from a remote server and to execute them on the infected device.

According to Doctor Web, the malware and the modules were designed in such a manner that they become part of the targeted apps.

“As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules,” the cybersecurity firm says.

Doctor Web also discovered that, should the wpa_supplicant system app (which controls wireless connections) be calling the modified library, the libmtd.so trojan library would start a local server, to enable a client to connect and operate in the ‘mysh’ console application.

According to the security firm, the malicious applications were dropped on the infected devices via a ‘FakeUpdates’ trojan typically embedded into system components such as software responsible for firmware updates, the system’s graphical interface, or the default settings app.

“While in operation, these trojans execute various Lua scripts that they particularly use to download and install other software,” Doctor Web notes.

Related: ‘Octo’ Android Trojan Allows Cybercrooks to Conduct On-Device Fraud

Related: SharkBot Android Malware Continues Popping Up on Google Play

Related: ‘Xenomorph’ Android Trojan Targets 56 Banking Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.