Backdoors Discovered in Budget Knockoff Android Smartphones

By Ava McKinneyOnline Safety

Backdoors Found in Budget Knockoff Android Smartphones

Security experts from Doctor Web have discovered backdoors in the system partition of several budget Android smartphones, which are counterfeit versions of well-known brand devices. The malware is designed to execute arbitrary code in WhatsApp and WhatsApp Business, and can also be used in other attack scenarios, including chat interception, theft of confidential information, organizing spam campaigns, and more.

How the Backdoors Were Discovered

In July 2022, several users contacted Doctor Web with complaints about suspicious activity on their Android smartphones. The company’s antivirus detected changes in the system memory area, as well as the appearance of malicious applications in the system partition (the same apps in all cases).

All incidents had one thing in common: the affected devices were copies of models from well-known brands. Additionally, instead of the current Android versions shown in the device information (such as Android 10), these devices actually ran the outdated Android 4.4.2.

Affected Models and Malware Behavior

Malicious activity was observed on at least four smartphone models: P48pro, radmi note 8, Note30u, and Mate40. These names closely resemble those of popular manufacturers (for example, Redmi by Xiaomi, Mate by Huawei). Combined with the false OS version information, experts consider these devices to be counterfeits.

Analysis showed that the antivirus detected changes in the following system files: /system/lib/libcutils.so and /system/lib/libmtd.so.

  • libcutils.so is a system library that, by itself, is not dangerous. However, it was modified to launch a trojan from the file libmtd.so when used. The altered library is detected as Android.BackDoor.3105.
  • libmtd.so is the second trojan library, identified as Android.BackDoor.3104. Its actions depend on which app uses the first library. If it’s WhatsApp, WhatsApp Business, or system apps like Settings or Phone, the malware proceeds to the next infection stage by copying another backdoor (Android.Backdoor.854.origin) into the app’s directory and launching it. This component’s main function is to download and install additional malicious modules.

How the Malware Operates

To download modules, Android.Backdoor.854.origin connects to one of several attacker-controlled servers, sending technical data about the device. The server responds with a list of plugins, which the trojan downloads, decrypts, and runs.

The malware and its downloaded modules integrate into target apps, which is the main danger, according to experts. As a result, the malware gains access to app files and can read messages, send spam, intercept and listen to phone calls, and perform other malicious actions depending on the modules installed.

If the system app wpa_supplicant (which manages wireless connections) is involved in launching the trojan, Android.BackDoor.3104 starts a local server. This allows a remote or local client to connect and work in the mysh console program, which must be pre-installed or present in the device’s firmware.

Source of the Malware

Analysts believe the most likely source of these malicious apps in the system partition is a well-known trojan family called Android.FakeUpdates. Attackers embed this malware in various system components—such as the firmware update program, settings app, or graphical interface component. During operation, the malware runs various Lua scripts, which can download and install other software. In fact, Android.FakeUpdates.1.origin was found on one of the affected smartphones.

Leave a Reply