Triggered by other malware that was found on the phones, Secure-D researchers exposed how the Triada/xHelper duo facilitated mobile ad fraud.
Upstream’s security platform, Secure-D, has blocked millions of suspicious subscription requests coming from low-end devices made by Transsion, a Chinese manufacturer of affordable smartphones for the African market.
Many of the transaction requests originating from applications seem to be coming from a family of apps called com.mufc, whose source is unknown and which cannot be downloaded from any Android app store.
One thing that is certain, is the app’s malicious nature. It can set off a series of actions that turn user devices into vectors for click fraud. Almost every transaction attempt coming from these devices during the period was identified as fraudulent.
It’s also incredibly stubborn and there is no conventional way to purge it from the phone – even after a factory reset.
UNVEILING THE INVESTIGATION
Starting in March 2019, Secure-D caught and blocked an unusually large number of transactions coming from Transsion Tecno W2 handsets mainly in Ethiopia, Cameroon, Egypt, Ghana, and South Africa, with some fraudulent mobile transaction activity detected in another 14 countries.
To date, a total of 19.2m suspicious transactions – which would have secretly signed users up to subscription services without their permission – have been recorded from over 200k unique devices.
Many of the blocked transactions originated from actions initiated by com.mufc.umbtts, an application that was detected on the devices. Almost all transaction attempts coming from these devices during the period were identified as fraudulent.
Having seen a spike in strange behaviour coming from the same source and focused on particular geographies, Secured-D decided to investigate further.
LAUNCHING THE INVESTIGATION
Secure-D acquired a selection of Tecno W2 mobile phones, both used from real users and newly purchased, to analyse the nature of the software that caused the fraudulent subscription requests. Analysis was carried out using a combination of device models and firmware versions. Phones were used for different purposes and connected to different types of networks.
The investigation confirmed that Tecno W2 devices came with Triada-related malware pre-installed. Triada is a well-known and extensively investigated malware that acts as a software backdoor and malware downloader.
It uses top-level device privileges to execute arbitrary malicious code after receiving instructions from a remote command and control server. It then hides inside permanent system components, making it more resilient against attempts to remove it.
Google has also conducted detailed research on Triada and attributes its existence to the actions of a malicious supplier somewhere within the supply chain of affected devices.
WHAT SECURE-D RESEARCHERS DISCOVERED
As soon as the device was placed in Secure-D’s protected ‘sandbox’ testing environment and connected to the internet, Triada malware would then download a second malware called xHelper.
Secure-D researchers used static and dynamic analysis to locate the applications inside each Tecno W2’s firmware that were causing click fraud. We identified new system libraries that the malware patched in order to compromise other essential applications. These changes made the malware resilient across reboots, attempts at removal, and factory resets.
During the in-depth analysis, Secure-D discovered software that enables Triada, and would download xHelper components that are capable of click/subscription fraud. Through traffic captures we recorded click-fraud campaigns in action.
When xHelper components were found in the right environment and connected to wi-fi or 3G network (e.g. inside a South African network), they made queries to find new subscription targets, and then proceeded to make fraudulent subscription requests.
These happened automatically and without requiring a mobile phone user’s approval. The investigation found evidence in the code that linked to at least one of the xHelper components (“com.mufc.umbtts”) to subscription fraud requests.
See below requests from two devices indicating actions related to subscription fraud:
The analysis of the captured web-related traffic revealed that the device was accessing several malicious domains that are considered Command & Control servers used by Triada malware authors. None of the internet hosts communicating with the malware was linked to the manufacturer.
HARD TO KILL
The Triada/xHelper duo is known for its persistence and for storing malicious components in an undeletable directory.
Having identified that malicious applications such as com.mufc.umbtts were in fact downloaded and not pre-installed, it was time to investigate how they secretly added themselves to each device.
On one device Secure-D researchers uninstalled com.comona.bac, com.mufc.umbtts, and com.mufc.firedoor while the phone was kept offline. Approximately 5 minutes later and with no Internet connection, all 3 applications had been automatically re-installed.
The persistency described above forced the investigation to look for on-device cached versions of the malicious APK files. The filesystem was thus searched for files with a size identical to the downloaded files.
The search results showed that the downloaded files were stored under the directory “/data/media/0/.jm” (see Figure below) using the names described in the relevant HTTP transaction.
This directory is ‘administrator access only’. Normal users with no advanced technical skills would have no way to access it or delete it.
NOT THE FIRST TIME
This isn’t the first time Secure-D has found low-cost Android smartphones being sold with pre-installed ad fraud malware. Cybercriminals see the devices as easier to compromise and convert into vectors for click fraud.
As many affordable Android phone models are designed with emerging markets in mind, fraudsters can use them to target users who rely on pre-paid mobile credit to make purchases with their phones.
The resulting click fraud can lead to widespread losses and net criminals millions in stolen funds if it isn’t identified and blocked.
Even though Triada is known for some time and various publications have warned about it as a backdoor threat, it remains active till today infecting users’ phone devices and facilitating mobile click fraud.
The Triada investigation conducted by Google concluded that a vendor ‘somewhere in the manufacturing supply chain’ was likely responsible for placing a Triada malware component into the devices’ firmware. It is common that developers and manufacturers are usually unaware of the malware infection. They must be extra careful when choosing third party SDKs and modules, preventing questionable SDKs from sneaking malware into their products.
CONSEQUENCES FOR END USERS
Secure-D blocked a total of 19.2m suspicious subscription sign-ups between March 2019 to August 2020, coming from over 200k unique Transsion Tecno W2 devices across 19 countries. Most of the suspicious activity, which is still on-going, took place in Egypt, Ethiopia, South Africa, Cameroon, and Ghana. In the period under investigation, Secure-D detected and blocked nearly 800k xHelper suspicious requests from W2 devices.
The persistent xHelper trojan was found on 53k W2 Transsion devices.
The mobile malware uncovered by researchers generated fake clicks, attempted fraudulent subscriptions, installed other suspicious apps without user consent. All of these actions happened completely in the background and were invisible to device owners.
Had the subscription attempts been successful, the data services involved would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.
Ad and click fraud are recurring issues affecting everyone in the mobile marketing ecosystem. To avoid falling victim, Android users in particular should check their phone airtime records for unexpected charges and high data usage.
Third-party app stores often have less rigorous approval processes that let malware-prone apps sneak into their listings, but even apps from official sources like Google Play can be compromised. And as we’ve seen in this instance, sometimes the infection is already present when you purchase a new phone.
FOR MOBILE NETWORK OPERATORS, CONTENT PROVIDERS & AGGREGATORS, AND SECURE-D CLIENTS
Secure-D has been blocking all suspicious activity originating from Transsion devices in Africa since the start of its investigation.
FOR INFORMATION SECURITY EXPERTS
Secure-D shares its findings with the community to help combat fraud and eliminate mobile threats. To request a complete technical analysis of the xHelper / Triada infection or a list of infected apps, security professionals should contact firstname.lastname@example.org.