Pre-installed malware that signs up mobile users for subscription services without their authorization has been discovered on thousands of low-cost smartphones from Chinese manufacturer Transsion. The discovery was made by Upstream's anti-fraud platform Secure-D, whose researchers conducted an in-depth investigation into the origin of the suspicious transactions detected by their platform. In March last year, the company discovered and blocked an unusually high number of Transsion Tecno W3 phone transactions in Ethiopia, Cameroon, Egypt, Ghana and South Africa with additional fraudulent mobile transactions. detected in 14 other countries. To date, a total of 19,2 million suspicious transactions have been recorded, which allegedly secretly enrolled users in subscription services without their authorization, from more than 200.000 unique devices. Many of these blocked transactions were performed by a family of apps called com.mufc whose source is unknown and cannot be downloaded from any Android app store. Secure-D Upstream Director Geoffrey Cleaves provided additional information on the current state of mobile ad fraud, stating: “Mobile ad fraud is becoming an epidemic that, if left unchecked, will reduce mobile advertising, erode the confidence in operators and will leave users with higher bills. A unified approach is needed to raise awareness. This particular threat benefits the most vulnerable. The fact that the malware comes pre-installed on phones that are bought by the millions by typically low-income households tells you all you need to know about what the industry is currently facing. "
Pre-installed malware
To investigate the large number of suspicious transactions it observed, Secure-D procured a selection of newly purchased Tecno W2 mobile phones and devices from actual users. The company's analysis was conducted using a mix of device models and firmware versions, and the tested smartphones connected to a variety of different types of networks. Secure-D's investigation confirmed that Transsion's Tecno W2 devices came with pre-installed Triada-related malware. Triada is a popular malware that acts as a backdoor and malware downloader. The malware uses higher-level device privileges to execute arbitrary malicious code after receiving instructions from a remote command and control server before hiding its presence within permanent system components to avoid further detection. After Secure-D connected the Tecno W2 devices it had purchased to the Internet, the Triada malware downloaded a Trojan horse called xHelper. The Trojan persists through reboots, app removals, and even factory resets, making it extremely difficult for even experienced professionals to remove. Secure-D also discovered that when xHelper components are exposed to the appropriate environment, such as a particular phone network, they make requests to find new subscription targets and send fraudulent subscription requests on behalf of the owner. unsuspecting phone. Since these requests are automatic and invisible, they would have consumed the user's prepaid airtime, as it is the only way to make digital payments in many emerging markets. The transition may not even be to blame, as a blog post from Google's security team attributes the existence of Triada to the actions of a rogue vendor somewhere in the supply chain of the affected devices. . TechRadar Pro has contacted Transsion Holdings for a statement, but the company has yet to respond as of this writing.