TECH

Chinese smartphones with pre-installed malware to steal data and money from users

Malware preinstalled on low-cost Chinese phones steals data and money from users in developing countries. For example, the Tecno W2 smartphone can be sold in some regions for literally - much cheaper than comparable models from Samsung, Nokia or Huawei. But this low price has unpleasant consequences.
Chinese company Transsion produces smartphones and conventional mobile phones for developing countries under the Tecno brand and others. Since the launch of its first device in 2014, the company, for example, has become a leader in phone sales in Africa, surpassing previous leaders Samsung and Nokia.
But success can come at a price. Users in Africa, Ethiopia, Cameroon, Egypt, Ghana, Indonesia and Myanmar complained that pop-up ads on Tecno W2 interrupted calls and chats, their mobile account was mysteriously spent; and there have also been reports of paid subscriptions for unknown apps. An investigation into Secure-D, a mobile security service, showed it all for a reason. Smartphones were immediately infected with xHelper and Triada, malware that secretly downloaded applications and hired people for paid services without their knowledge.
Secure-D, which some mobile operators use to protect their networks and customers from fraudulent transactions, blocked 844,000 transactions involving malware preinstalled on Transsion phones between March and December 2019. Secure-D managing director Geoffrey Cleaves, told BuzzFeed News that user data has been actively used in attempts to automatically subscribe to paid services. "For example, in Africa, Transsion devices generate 4% of user traffic, while smartphones account for more than 18% of all suspicious transactions," said Mr. Cleaves.



Tecno Spark 3 Pro is sold in Russia for 6999 ₽

This is another example of how some people try to save money by buying a device from a little-known brand. Cheap Chinese smartphones usually come with preinstalled malware that charges a kind of tax. At the same time, a Transsion spokesman told BuzzFeed News that the hidden programs Triada and xHelper appear on the company's phones due to some unknown link in the supply chain.
"We always attach great importance to the security of consumer data and product security," said the company. "All software installed on a device undergoes a series of rigorous security checks, such as our proprietary security scanning platform, Google Play Protect, GMS BTS and the VirusTotal test." A company spokesman added that Transsion did not benefit from malware and declined to reveal how many cell phones were infected.
Although largely unknown outside developing countries, Transsion is the fourth largest cell phone manufacturer in the world, after Apple, Samsung and Huawei, and is the only leading manufacturer focused exclusively on emerging markets.
The need to keep costs low opens the door to malware and other vulnerabilities. "Fraudsters can take advantage of the consumer's desire to buy a device at the lowest price, offering their hardware or software services even below cost, knowing that they can recover costs through fraud," said Geoffrey Cleaves.


Alcatel Pixi 4 4034D Smartphone is on sale in Russia for 1,290 ₽

Secure-D previously detected pre-installed malware on Alcatel brand phones from Chinese cell phone manufacturer TCL Communication in Brazil, Malaysia and Nigeria. She also investigated how Chinese malware preinstalled on cheap smartphones in Brazil and Myanmar stole users through fraudulent transactions.
Similar schemes work not only in developing countries, but also in the United States. This year, the Malwarebytes security service found pre-installed malware of Chinese origin on two phones offered to low-income citizens as part of the U.S. government's Lifeline program, which provides subsidized phones and discounted traffic. Both phones were manufactured by Chinese companies.
Nathan Collier, senior mobile malware analyst at Malwarebytes, said that cheap Chinese smartphones often pose threats to the security of people around the world. "We are faced with the same story over and over, when a cheap Chinese phone with Chinese malware ends up in the hands of people who cannot afford a more expensive phone," he said. "It's disgusting and frustrating to pre-install malware on a phone before the consumer buys it."


Tecno Spark 5 Air is sold in Russia for 6699 ₽

Mr. Collier researched Triada and xHelper and said he was the first malware in his practice to remain operational even after a factory reset. Transsion said it released a patch against Triada in March 2018, after reports revealed the software's presence on W2 smartphones. The company also added that it released a fix for xHelper in late 2019. In both cases, phone owners had to manually download fixes and update their phones.
Secure-D now continues to block Transsion phone transactions, but to a much lesser extent. Experts believe xHelper has entered a stage of inactivity and is inactive on millions of devices, while attackers are just waiting for the opportunity to strike again.

AVnews