Numerous trojans targeted at WhatsApp and WhatsApp Business are hidden on low-cost Android device models that are knockoffs of prominent smartphone brand names.
The trojans, which Doctor Web first identified in July 2022, were found in at least four separate cellphones’ system partitions: the P48pro, Radmi Note 8, Note30u, and Mate40.
The cybersecurity company stated in a report released today that “all cases are connected by the fact that the hacked devices were copycats of well-known brand-name products.”
“Additionally, they had the long-outdated 4.4.2 version of the OS installed on them rather than one of the newest OS versions with the corresponding information displayed in the device details,” the report continued.
The tampering specifically affects two files called “/system/lib/libcutils.so” and “/system/lib/libmtd.so,” which have been altered in a way that causes a trojan to run when the libcutils.so system library is utilized by any application.
If WhatsApp and WhatsApp Business are the applications using the libraries, libmtd.so launches a third backdoor, which is primarily responsible for downloading and installing new plugins from a remote server onto the affected devices.
The researchers warned that the downloaded modules and the detected backdoors “work in such a way that they essentially become part of the targeted apps.”
Due to the capability of the downloaded modules, they are able to read conversations, send spam, intercept and listen to phone calls, and perform other malicious acts once they have access to the files of the affected apps.
While libmtd.so is set up to start a local server that accepts connections from a remote or local client via the “mysh” console, should the application using the libraries turn out to be wpa supplicant—a system daemon used to manage network connections—libmtd.so is configured to start a local server in that case.
Follow us on