Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts

Budget Android device models that are counterfeit versions
associated with popular smartphone brands are harboring multiple
trojans designed to target WhatsApp and WhatsApp Business messaging
apps.

The trojans, which Doctor Web first came across in July 2022,
were discovered in the system partition of at least four different
smartphones: P48pro, radmi note 8, Note30u, and Mate40, was

“These incidents are united by the fact that the attacked
devices were copycats of famous brand-name models,” the
cybersecurity firm said ^[1]
in a report published today.

“Moreover, instead of having one of the latest OS versions
installed on them with the corresponding information displayed in
the device details (for example, Android 10), they had the long
outdated 4.4.2 version.”

Specifically, the tampering concerns two files
“/system/lib/libcutils.so” and “/system/lib/libmtd.so” that are
modified in such a manner that when the libcutils.so system library
is used by any app, it triggers ^[2]
the execution of a trojan incorporated in libmtd.so.

If the apps using the libraries are WhatsApp and WhatsApp
Business, libmtd.so proceeds to launch ^[3]
a third backdoor whose main responsibility ^[4]
is to download and install additional plugins from a remote server
onto the compromised devices.

“The danger of the discovered backdoors and the modules they
download is that they operate in such a way that they actually
become part of the targeted apps,” the researchers said.

“As a result, they gain access to the attacked apps’ files and
can read chats, send spam, intercept and listen to phone calls, and
execute other malicious actions, depending on the functionality of
the downloaded modules.”

On the other hand, should the app using the libraries turn out
to be wpa_supplicant ^[5]
– a system daemon ^[6]
that’s used to manage network connections – libmtd.so is configured
to start a local server which allows connections from a remote or
local client via the “mysh” console.

Doctor Web theorized the system partition implants could be part
of the FakeUpdates ^[7]
(aka SocGholish ^[8]) malware family based on
the discovery of another trojan embedded into the system
application responsible for over-the-air (OTA) firmware
updates.

The rogue app, for its part, is engineered ^[9]
to exfiltrate detailed metadata about the infected device as well
as download and install other software without users’ knowledge via
Lua scripts.

To avoid the risk of becoming a victim of such malware attacks,
it’s recommended that users purchase mobile devices only from
official stores and legitimate distributors.

References

^{^}
said
(news.drweb.com)
^{^}
triggers
(vms.drweb.com)
^{^}
launch
(vms.drweb.com)
^{^}
responsibility
(vms.drweb.com)
^{^}
wpa_supplicant
(android.googlesource.com)
^{^}
system
daemon (source.android.com)
^{^}
FakeUpdates
(thehackernews.com)
^{^}
SocGholish
(blog.sucuri.net)
^{^}
engineered
(vms.drweb.com)