53K Chinese android devices enter Africa with pre-installed malware
A new report by Secure-D, Upstream’s full stack anti-fraud platform, has explained how they caught and blocked many transactions coming from Transsion Tecno W2 handsets in Ethiopia, Cameroon, Egypt, Ghana, and South Africa. Other fraudulent mobile transaction activity was detected in another 14 countries.
Africa’s most popular phone maker, Transsion from China, had pre-installed malware on over 200k low cost Android devices. The malware signing mobile users up to subscription services without their permission.
To date, a total of 19.2m suspicious transactions, which would have secretly signed users up to subscription services without their permission, have been recorded from over 200k unique devices.
Secure-D says its further investigation discovered components of the xHelper/Triada malware preinstalled on 53k Transsion’s Tecno W2 smartphones, a low-cost handset model.
“This particular threat takes advantage of those most vulnerable. The fact that the malware arrives pre-installed on handsets that are bought in their millions by typically low-income households tells you everything you need to know about what the industry is currently up against,” said Geoffrey Cleaves, Head of Secure-D at Upstream.
Google, developers of Android OS, had previously attributed the presence of the Triada malware to the actions of a malicious supplier somewhere within the supply chain of affected devices. No signs of Triada malware were found to affect other mobile phone models created by Transsion.
Transsion Holdings sold 24 million mobile phones globally in 2018 according to its own company data. Its handsets are prevalent in emerging markets, especially in Africa. Its Tecno, Infinix and Itel brands held a combined 40.6% share in the African smartphone market and a 69.5% share in the feature phone market during the last quarter of 2019. Transsion manufactured handsets can also be found in many Asian countries.
Triada malware acts as a software backdoor and malware downloader. It installs a trojan (a piece of malicious code designed to look normal) known as “xHelper” onto compromised devices.
The xHelper trojan persists across reboots, app removals and even factory resets, making it extremely difficult to deal with even for experienced professionals, let alone the average mobile user.
When exposed to the right environment, for example, a particular phone network, xHelper components can make queries to find new subscription targets and submit fraudulent subscription requests on behalf of the phone’s unsuspecting owner.
A report published by Upstream at the beginning of 2020 revealed that last year a staggering 93% of mobile transactions had been blocked by Secure-D as fraudulent.