Hackers Use Counterfeit Android Devices to Launch Trojan on WhatsApp

Cybercriminals are using counterfeit android phones to hack into WhatsApp. Anti-malware company Doctor Web identified counterfeit versions of famous smartphone brands hosting trojans to attack WhatsApp and WhatsApp Business.

At least four android devices — P48pro, Radmi note 8, Note30u and Mate40 – were affected. According to the report, cybercriminals used these devices to launch a backdoor to spy to hack WhatsApp files and access its content. Moreover, the researchers also found that the counterfeit models ran on an outdated version of their software.

How are counterfeit Android devices being hacked?

To hack WhatsApp and WhatsApp Business messaging applications, hackers create a backdoor that allows them to blend into the program and appear as a part of the application. This makes them less suspicious when they launch another backdoor to gain unauthorized access and pass through the security measures of WhatsApp.

Trojans launched to hack WhatsApp

As per the report, Trojans are sent into WhatsApp by targeting code execution. Cybercriminals use the modified object /system/lib/libcutils.so to launch a trojan that gives them complete access to the device. It can delete files, steal confidential data, and send messages to a remote server.

Android.BackDoor.3105 trojan

Hackers modify the inbuilt system library to Android.BackDoor.3105 that can launch a malicious library when a program in the device uses it. Android.BackDoor.3105 is a trojan application that is used on outdated Android devices.

Creating backdoors when the default system library is used

Hackers can determine how the malicious library exploits the device based on how the inbuilt system. This means that while the inbuilt system library is being used, the malicious library can create other backdoors to access more files in the device or even change system settings. This trojan downloads and installs additional malicious files when the inbuilt system /system/lib/libcutils.so and /system/lib/libmtd.so are used.

Command and Control Server sends modules

Android.BackDoor.3105 connects with a Command-and-Control Server (C&C) and seeks more module downloads that can be sent into the Android program. This communication also involves sending an array of the device’s data, making it easy to perform malicious downloads. This leads to adding more plugins to the victim’s counterfeit android device. The trojans download these plugins in the counterfeit android device that get decrypted and run to continue the damage further. Cybercriminals and attackers use command and Control servers to send trojans and malware into other devices.