Budget Android devices may be a reason for the new backdoors on your WhatsApp

marek-piwnicki-M2srdrmG4QE-unsplash (1)

The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version which has multiple vulnerabilities in it.

Doctor Web has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. These trojans are designed to target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios. Among them is the interception of chats and the theft of confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This is not the only risk factor for users. The affected devices have been claimed to have a modern and secure Android OS version installed. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities. 

According to their research report, At least 4 smartphone models were affected:

  1. P48pro
  2. radmi note 8
  3. Note30u
  4. Mate40

Specifically, the tampering concerns two files “/system/lib/libcutils.so” and “/system/lib/libmtd.so” that are modified in such a manner that when the libcutils.so system library is used by any app, it triggers the execution of a trojan incorporated in libmtd.so.

If the apps using the libraries are WhatsApp and WhatsApp Business, libmtd.so proceeds to launch a third backdoor whose main responsibility is to download and install additional plugins from a remote server onto the compromised devices.

“The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps,” Dr Web researchers said.

“As a result, they gain access to the attacked apps’ files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules.”

On the other hand, should the app using the libraries turn out to be wpa_supplicanta system daemon that’s used to manage network connections – libmtd.so is configured to start a local server which allows connections from a remote or local client via the “mysh” console. 

Doctor Web theorised the system partition implants could be part of the FakeUpdates (aka SocGholish) malware family based on discovering another trojan embedded into the system application responsible for over-the-air (OTA) firmware updates. 
If you want more detailed guidance to create better privacy in your mobile devices, don’t try to hesitate to contact us.

Spread the word