London: xHelper / Triada malware found pre-installed on thousands of low-cost Chinese Android devices in emerging markets.
Upstream’s full stack anti fraud platform Secure-D released its findings based on a full investigation into the origin of the detected suspicious transactions.
This pre-installed malware is said to be signing mobile users to subscription services without their permission and it has been found on thousands of low cost devices made by Chinese manufacturer, Transsion.
Secure-D caught and blocked an unusually large number of transactions coming from Transsion Tecno W2 handsets mainly in Ethiopia, Cameroon, Egypt, Ghana, and South Africa. And also some fraudulent mobile transaction activity were detected in another 14 countries.
To date, a total of 19.2m suspicious transactions – which would have secretly signed users to subscription services without their permission – have been recorded from over 200,000 unique devices.
Secure-D’s further investigation discovered components of the xHelper/Triada malware preinstalled on 53,000 Transsion’s Tecno W2 smartphones, a low-cost handset model typically bought by lower-income users.
“This particular threat takes advantage of those most vulnerable, according to Geoffrey Cleaves, Head – Secure-D, Upstream.
“The fact that the xHelper malware arrives pre-installed on handsets that are bought in their millions by typically low-income households tells you everything you need to know about what the industry is currently up against,” said Cleaves.
Transsion Holdings, based in Shenzhen, China is one of the country’s leading mobile phone manufacturers, selling 124 million mobile phones globally in 2018 according to the company’s data.
Its handsets are prevalent in emerging markets, especially in Africa, where according to IDC it is the top selling mobile phone manufacturer.
Its Tecno, Infinix and Itel brands held a combined 40.6% share in the African smartphone market and a 69.5% share in the feature phone market during the last quarter of 2019. Transsion manufactured handsets can also be found in many Asian countries.
Triada malware acts as a software backdoor and malware downloader. It installs a trojan (a piece of malicious code designed to look normal) known as “xHelper” onto compromised devices.
The xHelper trojan persists across reboots, app removals and even factory resets, making it extremely difficult to deal with even for experienced professionals, let alone the average mobile user.
When exposed to the right environment, for example, a particular phone network, xHelper components can make queries to find new subscription targets and submit fraudulent subscription requests on behalf of the phone’s unsuspecting owner. These requests are automatic – meaning they do not require the phone owner’s permission – and invisible. Had they been successful, they would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.
Secure-D’s investigation found evidence in code and from traffic data to link at least one of the xHelper components (known as “com.mufc.umbtts”) to subscription fraud requests via Transsion’s W2 Tecno-branded handset. That runs on Android OS. In the period under investigation, Secure-D detected and blocked nearly 800,000 xHelper suspicious requests from W2 devices.
Google has attributed the presence of the Triada malware to the actions of a malicious supplier somewhere within the supply chain of affected devices. No signs of Triada malware were found to affect other mobile phone models created by Transsion.
“Mobile ad fraud is fast becoming an epidemic which, if left unchecked, will throttle mobile advertising, erode trust in operators and leave users saddled with higher bills. A unified approach is needed to raise awareness,” commented Cleaves.
An Upstream report released early this year revealed that last year a staggering 93% of mobile transactions had been blocked by Secure-D as fraudulent.
Over 98,000 malicious Android apps were discovered, as well as 43 million infected devices in 20 different countries. Secure-D currently covers 31 mobile operators across 20 countries.