Thousands of cheap Android smartphones were getting sold in Africa with malware already pre-installed onboard, according to new security research.
On Monday, the mobile company Upstream Systems published a report on how a nasty malware strain known as Triada has been preying on low-income consumers in over a dozen African countries.
Usually malware ends up on an Android device after the owner installs a fake third-party app that contains malicious code. However, Upstream noticed the Triada malware was getting preinstalled on thousands of Tecno W2 handsets from a Chinese company called Transsion before getting sold to local consumers in countries such as Ethopia, Cameroon and Egypt.
According to BuzzFeed, the W2 was being sold for as little as $30, but could end up looting funds from unsuspecting victims.This is because the phone would download additional malware called xHelper, which can proceed to subscribe the owner to costly digital services.
“Had the subscription attempts been successful, the data services involved would have consumed each user’s pre-paid airtime —the only way to pay for digital products in many emerging markets,” Upstream said.
In addition, xHelper will engage “click fraud,” by clicking the ads that hang in the background of the device. “All of these actions happened completely in the background and were invisible to device owners,” it added.
Upstream, which sells an anti-fraud system to mobile carriers, began noticing the suspicious activity in March 2019. Since then, the company has blocked over 19.2 million transactions tied to the malware that tried to secretly sign up users to subscription services without their permission. The activity was traced back to more than 200,000 unique devices.
Upsteam decided to investigate further and acquired some Tecno W2 products and found the malware would reinstall itself even after a factory reboot. Attempts to remove the malware by uninstalling certain applications also did nothing, but cause them to reappear five minutes later.
So how did the malware get on the phones? Transsion told BuzzFeed it sourced the infections to an unidentified “vendor in the supply chain process,” meaning the hackers likely infiltrated a third-party vendor charged with managing the phones’ software.
The findings match what other security research from Google has found: The authors behind Triada deliver it by hacking into computers from device manufacturers and secretly planting the malware inside the Android software.
Transsion actually claims to have fixed the infection problem back in March 2018 when the company’s W2 phone was initially flagged for delivering the Triada malware. The Chinese company also delivered an update to address the xHelper late last year, but in both cases the user must download and install the patches.
Why the patches didn’t arrive to affected consumers remains unclear. But Upstream says phone vendors need to be on guard against malware infiltrating their systems. “It is common that developers and manufacturers are usually unaware of the malware infection,” the company said. “They must be extra careful when choosing third party SDKs (software development kits) and modules, preventing questionable SDKs from sneaking malware into their products.”
The Triada malware was not found on other found phones from Transsion, Upstream added.