Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps.
The malware, which Doctor Web first came across in July 2022, were discovered in the system partition of at least four different smartphones: P48pro, radmi note 8, Note30u, and Mate40, was
"These incidents are united by the fact that the attacked devices were copycats of famous brand-name models," the cybersecurity firm said in a report published today.
"Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version."
Specifically, the tampering concerns two files "/system/lib/libcutils.so" and "/system/lib/libmtd.so" that are modified in such a manner that when the libcutils.so system library is used by any app, it triggers the execution of a trojan incorporated in libmtd.so.
If the apps using the libraries are WhatsApp and WhatsApp Business, libmtd.so proceeds to launch a third backdoor whose main responsibility is to download and install additional plugins from a remote server onto the compromised devices.
"The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps," the researchers said.
"As a result, they gain access to the attacked apps' files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules."
On the other hand, should the app using the libraries turn out to be wpa_supplicant – a system daemon that's used to manage network connections – libmtd.so is configured to start a local server which allows connections from a remote or local client via the "mysh" console.
Doctor Web theorized the system partition implants could have been deployed via a trojan that's part of the FakeUpdates (aka SocGholish) malware family based on the discovery of a backdoor embedded into the system application responsible for over-the-air (OTA) firmware updates.
The rogue app, for its part, is engineered to exfiltrate detailed metadata about the infected device as well as download and install other software without users' knowledge via Lua scripts.
To avoid the risk of becoming a victim of such malware attacks, it's recommended that users purchase mobile devices only from official stores and legitimate distributors.