A team of mobile security researchers has discovered backdoors in the system partition of some budget Android device models that are counterfeit versions of known brand-name models.
The malware, which the Doctor Web team first discovered in July 2022, was found in at least four different smartphones: ‘P48pro’, ‘radmi note 8’, ‘Note30u’ and ‘Mate40’.
“These incidents are united by the fact that the attacked devices were copycats of famous brand-name models,” Doctor Web wrote. “Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version.”
According to the security researchers, the trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and could potentially be used in different attack scenarios.
“Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes,” Doctor Web wrote.
From a technical standpoint, the security researchers said their antivirus detected changes in two different system objects.
“To download modules, [the malware] connects to one of several C&C (command-and-control) servers, sending a request with a certain array of technical data about the device. In response, the server sends a list of plugins that the trojan will download, decrypt and run,” Doctor Web explained.
The mobile antivirus provider warned that the new malicious apps could be a member of the Android.FakeUpdates trojan family, often used by malicious actors to infiltrate various system components, including firmware updating software, the default settings app or the component responsible for the system graphical interface.
“To avoid the risk of becoming a victim of these and other malicious programs, Doctor Web recommends that users purchase mobile devices in official stores and from reputable distributors,” the company added. “Using an anti-virus and installing all available OS updates is also important.”
The advisory comes days after Google published its latest Android security bulletin in which it said it patched a total of 37 vulnerabilities.