Mobile Security Platform Upstream found built-in malware on 53,000 Tecno W2 devices shipped to 5 African countries. Secure-D, the company’s mobile security service says that the built-in malware prompts “suspicious subscription requests” which sign up users to digital services without their knowledge. The subscription services, if successful, would consume users’ prepaid airtime as well as generate fake clicks on banner ads in the background.
Secure-D noticed a surge of suspicious transactions from Tecno W2 devices from Ghana, Egypt, Cameroon, South Africa and Ethiopia since March 2019, which triggered an investigation. So far, the company has recorded 19.2 million suspicious transactions which would have signed in users of over 200,000 handsets into subscription services without their consent.
Secure-D blocked a total of 19.2m suspicious subscription sign-ups between March 2019 to August 2020, coming from over 200k unique Transsion devices across 19 countries. Most of the suspicious activity, which is still on-going, took place in Egypt, Ethiopia, South Africa, Cameroon, and Ghana.
While traffic on Transsion phones accounts for 4% of the users in the continent, it contributes to 18% of all suspicious clicks.
A Transsion spokesperson told Buzzfeed News that the company did not profit from the built-in malware, shifting the blame to a vendor in the supply chain process.
“We have always attached great importance to consumers’ data security and product safety,” they said. “Every single software installed on each device runs through a series of rigorous security checks, such as our own security scan platform, Google Play Protect, GMS BTS, and VirusTotal test.”
No web traffic linked the malware to the phone manufacturer.
This is not the first discovery of invasive built-in malware in low priced handsets. In 2019, Secure-D found preinstalled malware in Alcatel Models Pixi 4 and A3 Max, disguised as a weather application which collects and transmits location data, email address and IMEIs to servers in China. The application, just like Triada and xHelper, siphoned massive data and attempted transactions in the background.
Similarly, Malwarebytes discovered built-in malware in ANS UL40 and UMX U683CL, low-end smartphones in the US, which could download apps from a third-party app store. These phones were offerd to low income households in the US via the Lifeline Assistance program.
How the Built-in Malware Affected the User
The report from the security company shows that the low-end smartphones come with a preinstalled with Triada, a malware with capabilities to download and install other applications. Triada, in turn, installs another malware, XHelper. The malware then compromises essential applications on the mobile phone, making changes to its system libraries that protect it from removal attempts factory resets and reboots. Files downloaded by the malware are stored in an undeletable directory with administrator access.
Apart from creating fraudulent subscriptions, the built-in malware would also generate fake clicks and install other apps in the background. The clicks generated on banner ads in the background then generate millions for cyber-criminals, who defraud advertisers through creating fake impressions.
Analysis of internet traffic shows that the devices had access to command and control servers linked to the Triada malware authors.
Fraudsters take advantage of the low pricing of the phones by offering either hardware or software services at a low price, which they could recover through vulnerabilities such as backdoors to malware.
Earlier research by Antivirus maker Kaspersky indicates that Triada also modifies Incoming and outgoing SMS. Modifying SMS allows malware operators to intercept verification messages for in-app purchases, rerouting app payments directed to an app developer. Alternatively, Triada functionality enable malware operators to initiate in-app transactions and process SMS verification without the user’s knowledge
The report urges users to monitor their data and airtime records for unexpected charges and high data usage.
READ ALSO: Kenya’s CyberSecurity Threats Increases by 167% – CAK
