These counterfeit phones contain multiple trojans that Doctor Web found in July 2022. They discovered them in system partitions of four different smartphones, and these included Mate40, Note30u, radmi note 8, and P48pro.
The cybersecurity firm released a report which stated that the commonality between the incidents was that the devices attacked were copycat devices of famous mobile phone brands. Furthermore, they did not have the latest OS version installed in all of them. Instead, they were all using the long outdated 4.4.2 version rather than Android 10.
The tampering includes that of two files, the system/lib/libcutils.so, and /system/lib/libmtd.so, which are modified so that when the libcutils. so system library is used by any app, the trojan incorporated in libmtd. so when executed.
Therefore, if the app using these libraries are that of Whatsapp and Whatsapp Business, libmtd. So launches the third backdoor. This backdoor is mainly responsible for downloading and installing additional plugins from a remote serves onto the vulnerable and compromised device.
The researchers stated that backdoors are dangerous because of the way they operate and become part of the app they are targeting. Alongside gaining access to the app files, they can also read chats, send spam intercepts, listen in on phone calls, and execute other malicious actions. These actions depend on the overall functionality of the modules downloaded.
According to Doctor Web’s theory, the system partition implants may be a part of the FakeUpdates, or SocGholish, malware family. This theory is based on the fact that the discovery of another trojan, which is embedded into the system application and is responsible for the OTA, or over-the-air firmware updates.
The rogue app is usually designed to exfiltrate detailed metadata about the infected device while also downloading and installing other software without the user’s knowledge. Usually using Lua scripts.
Such malware attacks can easily be avoided if one purchases mobiles only from the brand’s official stores and other legitimate distributors.
- The Cybersecurity Risks of Merging Business & Pleasure
- The Android Banking Trojan, SOVA Returns With New Capabilities and Targets
- DoNot Haker’s Malware Toolkit Received an Update With Improved Capabilities
- Cyber Espionage Operations in South Asia face a crackdown by Meta
- Active Exploitation of UnRAR Software – CISA Issues Warning for Linux Systems
- Chinese Hackers Develop a New Hacking Framework Similar to Cobalt Strike – Manjusaka
- North Korean Hackers Try a New Tactic – Use Malicious Browser Extensions to Spy on Email Accounts
- Iranian Hackers Are Causing Disruptive Cyberattacks Against the Albanian Government