Pre-Installed Malware On Thousands Of Cheap Android Phones

Reading Time: 4 minutes

Regardless of who you are or what you do for a living – few things are more concerning than finding out that someone or some ‘group’ was not only watching your personal devices but extracting data or injecting ads.

This concern has recently become a real problem for Chinese owned Tecno, especially as this dual-threat has been identified as targeting lower economic and socially displaced users in emerging markets.

Triada and xHelper affecting over 200,000 used or newly purchased phones for 19.2 Million transactions

The Chinese-owned African mobile phone giant, Tecno, is fighting the allegations that its W2 phones shipped with pre-installed malware.

Researchers have recently identified that Ethiopia, Egypt, South Africa and Ghana had been selected as targets for these malware variants being pre-installed on the Transsion’s Tecno W2 handsets.

Tecno claims that the Triada malware was first discovered in April of 2018 and since it’s identification, the company has made available a patch that customers could apply to remove the program from the Tecno W2 phones.

The company added that if customers ran any system updates on their phones since 2018, then that would have eliminated the problem. For those who haven’t yet done so the company advised: “For current W2 users facing Triada issue presently, we advise that they download the [over the air] fix on their phone for installation, or contact TECNO’s after-sales service support for assistance.”

While this is good in all respects, no mention had been made regarding the xHelper malware that was also discovered by Secure-D.

What Happened?

Provided by Upstream’s security platform known as Secure-D, their findings identified that Chinese manufacturer, Transsion, manufacturers low-cost Android smartphones. These phones have a significant prominence in emerging markets such as Ethiopia, Egypt, South Africa and Ghana.

“Secure-D acquired a selection of Tecno W2 mobile phones, both used from real users and newly purchased, to analyze the nature of the software that caused the fraudulent subscription requests. The analysis was carried out using a combination of device models and firmware versions. Phones were used for different purposes and connected to different types of networks. “The investigation confirmed that Tecno W2 devices came with Triada-related malware pre-installed. Triada is a well-known and extensively investigated malware that acts as a software backdoor and malware downloader.”

Further investigation and research let security experts to declare that the pre-installed software was Triada.

What is Triada

Triada malware is a software backdoor and execution point of sorts – with the capability to communicate with a ‘command and control’ server as well as process code after receiving direction from the C&C server.

Triada is very well known within the cyber security industry for downloading additional malicious scripts that are targeting sensitive data from banking applications, video and voice conversations, social media messages as well as direct cyber espionage access to the device’s peripherals.

In this specific instance, the analaysis of the communication revealed that Triada was accessing several malicious domains across the globe. None of the servers being communicated with are linked to the manufacturer.

While the manufacturer did report a patch to fix the issue, Triada is known for being extremely resilient during removal attempts and can be nearly impossible to detect by the average user.

Second Phase – xHelper

As if the first phase was not bad enough, Secure-D continued to uncover issues associated with the phones.

xHelper was downloaded by Triada which would enable click or subscription fraud campaigns. In this instance it was identified on over 53,000 Transsion Tecno W2 smartphones.

When tested in South Africa, without the users permission or approval, the malicious software would reach out to new targets and automatically make subscription requests for fraudulent activities.

If identified, the xHelper trojan makes reboots, factory resets, uninstalling applications or other removal attempts nearly impossible to complete.

So – Just Uninstall It

This malicious software combo was not placed here to just be ‘uninstalled’ and the user go on their merry way.

The malicious components are stored in an directory that cannot be deleted and has an extremely persistent keep alive functionality programmed. Secure-D researchers were able to identify one such application.

On one device Secure-D, researchers uninstalled com.comona.bac, com.mufc.umbtts, and com.mufc.firedoor while the phone was kept offline. Approximately 5 minutes later and with no Internet connection, all 3 applications had been automatically re-installed

xHelper is also not new to the information security world having been identified in 45,000 android phones last year.

Leave a Reply

Your email address will not be published. Required fields are marked *