xHelper/Triada malware pre-installed on thousands of low cost Chinese Android devices in emerging markets
August 2020 by Upstream
Pre-installed malware signing mobile users up to subscription services without their permission has been seen on thousands of low cost devices made by Chinese manufacturer, Transsion. That’s according to new findings released by Secure-D, Upstream’s full stack anti-fraud platform, following a full investigation into the origin of the detected suspicious transactions.
Secure-D caught and blocked an unusually large number of transactions coming from Transsion Tecno W2 handsets mainly in Ethiopia, Cameroon, Egypt, Ghana, and South Africa, with some fraudulent mobile transaction activity detected in another 14 countries. To date, a total of 19.2m suspicious transactions – which would have secretly signed users up to subscription services without their permission – have been recorded from over 200k unique devices.
Secure-D’s further investigation discovered components of the xHelper/Triada malware preinstalled on 53k Transsion’s Tecno W2 smartphones, a low-cost handset model typically bought by those on a lower income.
Geoffrey Cleaves, Head of Secure-D at Upstream, commented: “This particular threat takes advantage of those most vulnerable. The fact that the malware arrives pre-installed on handsets that are bought in their millions by typically low-income households tells you everything you need to know about what the industry is currently up against.”
Based in Shenzhen, China, Transsion Holdings is one of the country’s leading mobile phone manufacturers, selling 124 million mobile phones globally in 2018 according to its own company data. Its handsets are prevalent in emerging markets, especially in Africa, where according to IDC it is the top selling mobile phone manufacturer. Its Tecno, Infinix and Itel brands held a combined 40.6% share in the African smartphone market and a 69.5% share in the feature phone market during the last quarter of 2019. Transsion manufactured handsets can also be found in many Asian countries.
Triada malware acts as a software backdoor and malware downloader. It installs a trojan (a piece of malicious code designed to look normal) known as “xHelper” onto compromised devices. The xHelper trojan persists across reboots, app removals and even factory resets, making it extremely difficult to deal with even for experienced professionals, let alone the average mobile user. When exposed to the right environment, for example, a particular phone network, xHelper components can make queries to find new subscription targets and submit fraudulent subscription requests on behalf of the phone’s unsuspecting owner. These requests are automatic - meaning they do not require the phone owner’s permission – and invisible. Had they been successful, they would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.
Secure-D’s investigation found evidence in code and from traffic data to link at least one of the xHelper components (known as “com.mufc.umbtts”) to subscription fraud requests via Transsion’s W2 Tecno-branded handset, which runs on Android OS. In the period under investigation Secure-D detected and blocked nearly 800k xHelper suspicious requests from W2 devices.
Google, developers of Android OS, has attributed the presence of the Triada malware to the actions of a malicious supplier somewhere within the supply chain of affected devices.
No signs of Triada malware were found to affect other mobile phone models created by Transsion.
Geoffrey Cleaves, from Upstream, said: “Mobile ad fraud is fast becoming an epidemic which, if left unchecked, will throttle mobile advertising, erode trust in operators and leave users saddled with higher bills. A unified approach is needed to raise awareness.”
A report published by Upstream at the beginning of 2020 revealed that last year a staggering 93% of mobile transactions had been blocked by Secure-D as fraudulent. Over 98,000 malicious Android apps were discovered, as well as 43 million infected devices in 20 different countries. Secure-D currently covers 31 mobile operators across 20 countries.