You are here

You are here

Preinstalled mobile malware steals money in emerging markets

Richi Jennings Your humble blogwatcher, dba RJA

Smartphone users in emerging markets are being ripped off by suspiciously cheap handsets. Phones branded Tecno—made by Shenzhen Transsion Holdings—appear to be preinstalled with malware.

Said malware is said to be silently signing users up to costly subscriptions. And it’s practically unremovable. But Transsion—a big name in African telecoms—denies blame.

Meanwhile, there’s yet another click-fraud malware scandal in Apple’s App Store. In this week’s Security Blogwatch, we go back to smoke signals.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: laziness and Python.

Supply chain attack blamed

What’s the craic? Craig Silverman reports—Chinese-Made Smartphones Are Secretly Stealing Money:

Transsion, the Chinese company that makes Tecno and other low-priced smartphones … has grown to become Africa’s top handset seller, beating out longtime market leaders Samsung and Nokia. [It] is the fourth-biggest handset maker in the world, behind Apple … but it’s the only manufacturer in that group to exclusively focus on low-income markets.

It’s the latest example of how cheap … smartphones take advantage of the world’s poorest people. … Right out of the box [phones are] infected with xHelper and Triada—malware that secretly downloads apps and attempts to subscribe [users] to paid services without [their] knowledge.

Tecno W2 phones in … South Africa … Ethiopia, Cameroon, Egypt, Ghana, Indonesia, and Myanmar were infected. … [It’s] an overlooked and ongoing threat … malware on cheap smartphones … and how it exacts a digital tax on people with low incomes.

A Transsion spokesperson [said] some of the company's Tecno W2 phones contained the hidden Triada and xHelper programs, blaming an unidentified “vendor in the supply chain process.” … The spokesperson said Transsion did not profit from the malware.

And Anthony Spadafora adds—Chinese smartphone maker selling devices with malware pre-installed:

The discovery was made by Upstream's anti-fraud platform Secure-D. … Beginning in March of last year, the firm discovered … an unusually large number of transactions originating from Transsion Tecno W3 handsets in Ethiopia, Cameroon, Egypt, Ghana and South Africa with additional fraudulent mobile transactions detected in another 14 countries.

To date, a total of 19.2m suspicious transactions, which would have secretly signed users up for subscription services … have been recorded from over 200k unique devices. Many of these blocked transactions were carried out by a family of apps called com.mufc whose source is unknown.

[The] devices came with Triada-related malware pre-installed. … The malware uses top-level device privileges to execute arbitrary malicious code … before hiding its presence inside permanent system components to further avoid detection. [The] malware downloaded a Trojan called xHelper [which] persists across reboots, app removals and even factory resets.

When xHelper components are exposed to … particular phone networks, they made queries to find new subscription targets and submit fraudulent subscription requests. … They would have consumed user's pre-paid airtime as this is the only way to make digital payments in many emerging markets.

What’s the industry up against? Secure-D’s Geoffrey Cleaves comments thuswise—Suspicious activity on over 200k Transsion Tecno W2 smartphones:

This particular threat takes advantage of those most vulnerable. The fact that the malware arrives pre-installed on handsets that are bought in their millions by typically low-income households tells you everything you need to know.

Mobile ad fraud is fast becoming an epidemic which, if left unchecked, will throttle mobile advertising, erode trust in operators and leave users saddled with higher bills.

But it could never happen here, right? John Koetsier hates to burst your bubble—Malicious Chinese SDK In 1,200 iOS Apps With Billions Of Installs Causing ‘Major Privacy Concerns’:

A Chinese ad network named Mintegral is accused of spying on user activity and committing ad fraud in more than 1,200 apps with 300 million installs per month since July 2019. … This likely impacts billions of total app installs on iPhone and iPad.

“We identified an SDK malicious component that is getting integrated into different iOS applications,” … says Danny Grander, cofounder [of] Snyk. … The Mintegral SDK performs click attribution fraud, Grander told me.

It spies on what users do, including when they click on ads to install other apps. Since brands pay ad networks for successful mobile app installs, the Mintegral SDK would then quickly send out a fake click and “claim credit” for the app install, Grander says. … For between 20% and 30% of the conversions Mintegral had been credited with, there was a prior click within a couple minutes from a competing ad network.

Apple says this is an example of why the company is making privacy enhancements in the soon-to-arrive iOS 14, which will make the Apple identifier for advertisers (IDFA) opt-in only. … Very likely, Apple will be tightening its own app and SDK checking in the app approval stage as well.

Mintegral has issued a statement: … “These allegations are not true. … There is no fraud taking place. … Mintegral was founded on the idea of bridging East and West through transparent, reliable and open advertising technology.”

I think you ought to know that Malays2 bowman’s feeling very depressed:

We're screwed. Really, we're screwed.

Sorry to all future generations of Americans who must deal with our mess.

Why hasn’t Apple nuked it? innagadadavida is watching and waiting:

Basically, they are faking clicks if users installed an app after seeing the ad but not clicking on it. … Will be interesting to see what the ad networks and Apple will do about this.

What can be done? rtb61 has this immodest proposal:

The whole idea of a locked root—locked from the customers—has to come to an end. It should be illegal to supply a phone that way.

A customer should be able to scan that phone for any untoward software, and remove or … without difficulty install the operating system and applications of their choice—on their phone.

True it would create some new problems, but it would eliminate a whole bunch of bad practices—very anti-consumer practices—that have evolved with large very corrupt and customer abusive tech corporations who need to be brought to heel, beaten and dismembered.

And it’s not just iThings, according to tupac_speedrap:

Premium brands aren't helping by normalising this, maybe not to the same degree but every Android experience seems to come with vendor botnet stuff built in.

Which leads us back to the problems in emerging markets. Heed Chris Xu:

The problem isn't Tecno its these middlemen vendors that inject malware onto the phones before they resell it. China has a big problem with these middlemen too doing the same thing especially on Alibaba.

It's just better to buy it directly from the maker if possible.

Meanwhile, this Anonymous Coward proffers some local insights:

I live in South Africa. When cellphone networks took off in a lot of places in Africa, around the middle 1990s, they provided a lot of people with connectivity that the state-owned fixed-line telephone monopolies never provided. Many people went straight from no internet to cellphone-based internet, leapfrogging wired technology like dialup, ADSL etc.

That said, culturally there is a huge focus on personal presentation and conspicuous exhibition of wealth – quite a spectacle for a westerner to behold. Many people on minimal wages "invest" in brand name clothing and flagship mobile phones. Some higher salary earners often max out their pay package to "buy" the most expensive … car the bank and debt laws will allow.

The moral of the story?

Despite Apple’s and Google’s efforts, smartphone malware is still a thing, so beware BYOD. And maybe help your marketing brethren understand click fraud?

And finally

Prof. Thorsten Altenkirch says, “Sometimes it’s good to be a bit lazy.”

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: JP Valery (via Unsplash)

Keep learning

Read more articles about: SecurityInformation Security