Pre-installed malware on low-cost Chinese phones steals data and money from users in developing countries. For example, the Tecno W2 smartphone can be sold in some regions for literally $ 30 – much cheaper than comparable models from Samsung, Nokia or Huawei. But such cheapness entails unpleasant consequences.
The Chinese company Transsion produces smartphones and conventional cell phones for developing countries under the Tecno brand and others. Since launching its first handset in 2014, the company, for example, has become the leader in phone sales in Africa, overtaking previous leaders Samsung and Nokia.
But success can come with a price. Users in Africa, Ethiopia, Cameroon, Egypt, Ghana, Indonesia and Myanmar complained that pop-up ads on Tecno W2 interrupted calls and chats, their mobile account was mysteriously spent; and there have also been reports of paid subscriptions to unknown apps. An investigation into Secure-D, a mobile security service, showed that it was all for a reason. Smartphones were infected out of the box with xHelper and Triada, malware that secretly downloaded applications and signed people to paid services without their knowledge.
Secure-D, which some mobile operators use to protect their networks and customers from fraudulent transactions, blocked 844,000 transactions involving pre-installed malware on Transsion phones between March and December 2019. Secure-D Managing Director Geoffrey Cleaves told BuzzFeed News that user data has been actively used in attempts to automatically subscribe to paid services. “For example, in Africa, Transsion devices generate 4% of user traffic, while such smartphones account for more than 18% of all suspicious transactions.“- said Mr. Cleaves.
This is another example of how some people try to save money by buying a device from a little-known brand. Cheap Chinese smartphones are often preinstalled with malware that charges a kind of tax. At the same time, a Transsion spokesman told BuzzFeed News that the hidden programs Triada and xHelper appear on the company’s phones due to some unknown link in the supply chain.
“We always attach great importance to the safety of consumer data and product safety, – said the company. – Every software installed on the device goes through a series of rigorous security checks, such as our proprietary security scanning platform, Google Play Protect, GMS Bts and VirusTotal test“… A company spokesperson added that Transsion has not benefited from malware and declined to disclose how many mobile phones were infected.
Although largely unknown outside developing countries, Transsion is the fourth largest mobile phone manufacturer in the world after Apple, Samsung and Huawei, and is the only leading manufacturer focused exclusively on emerging markets.
The need to keep costs down opens the door to malware and other vulnerabilities. “Fraudsters can take advantage of the consumer’s desire to buy a device at the lowest price by offering their hardware or software services even below cost, knowing that they can then recoup costs through fraud,” Said Geoffrey Cleaves.
Secure-D previously detected pre-installed malware on Alcatel-branded phones of Chinese mobile phone manufacturer TCL Communication in Brazil, Malaysia and Nigeria. She also investigated how Chinese malware preinstalled on cheap smartphones in Brazil and Myanmar robbed users through fraudulent transactions.
Similar schemes work not only in developing countries, but also in the United States. This year, Malwarebytes security service found pre-installed Chinese-origin malware on two phones offered to low-income citizens as part of the US government’s Lifeline program, which provides subsidized phones and cheaper traffic. Both phones were manufactured by Chinese companies.
Nathan Collier, senior mobile malware analyst at Malwarebytes, said cheap Chinese smartphones often pose security threats to people around the world. “We see the same story over and over again when a cheap Chinese phone with Chinese malware falls into the hands of people who cannot afford a more expensive device. – he said. – It is disgusting and unpleasant to pre-install malware on a phone before a consumer purchases it. “…
Mr. Collier researched Triada and xHelper and said it was the first malware in his practice that remains operational even after a factory reset. Transsion said it released a patch against Triada in March 2018 after reports revealed the presence of the software on W2 smartphones. The company also added that it released a fix for xHelper in late 2019. In both cases, phone owners had to manually download fixes and update their phones.
Secure-D now continues to block transactions from Transsion phones, but to a much lesser extent. Experts believe that xHelper has entered a stage of inactivity and is dormant on millions of devices, while attackers are just waiting for the opportunity to strike again.
If you notice an error, select it with the mouse and press CTRL + ENTER.