Researchers from Doctor Web discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. The malware targets WhatsApp and WhatsApp Business messaging apps and can allow attackers to conduct multiple malicious activities.
Doctor Web became aware of the malicious campaign in July 2022, after several users contacted the security firm to report suspicious activity on their Android devices. The researchers discovered changes in the system storage area as well as the appearance of the same malicious code in the system partition of multiple models, including P48pro, radmi note 8, Note30u, and Mate40.
The experts noticed that all the devices were copycats of famous brand-name models, their names are consonant with the names of some of the models produced by popular manufacturers. Another circumstance discovered by the experts is all the devices were running outdated OS versions (i.e. Android 4.4.2 version) instead of having one of the latest OS versions installed on them as reported in the device details.
Dr.Web researchers noticed changes in the “/system/lib/libcutils.so” and “/system/lib/libmtd.so” objects.
The object libcutils.so is a system library that has been modified in a way that when it is used by any application, a trojan tracked Android.BackDoor.3105 which is included in the libmtd.so file is executed.
