Africa’s top handset vendor Transsion hit by pre-installed malware incident – security vendor also spotted two other similar incidents with other handset vendors
28 August 2020
Advertising and subscription fraud started the day digital advertising was invented but the malware associated with it is becoming “more and more sophisticated and human-like.” Russell Southwood spoke to Geoffrey Cleaves, Head of Secure-D about what happened and the implications of it.
Without their knowledge or consent, customers who buy certain mobile phones have had malware installed that operates on them without them even knowing. This malware generates fake digital advertising revenues for fraudsters who seem largely to operate from China. The malware used is xHelper/Triada.
This came to light after Secure-D – who sells security protection to MNOs and subscribers – found an unusually large number of transactions coming from Transsion Tecno W2 handsets mainly in Ethiopia, Cameroon, Egypt, Ghana, and South Africa, with some fraudulent mobile transaction activity detected in another 14 countries. To date, a total of 19.2m suspicious transactions – which would have secretly signed users up to subscription services without their permission – have been recorded from over 200,000 unique devices.
Secure-D’s further investigation discovered components of the xHelper/Triada malware preinstalled on 53,000 Transsion’s Tecno W2 smartphones, a low-cost handset model typically bought by those on a lower income. Handset vendor Transsion told Buzzfeed it was installed in the supply chain without its knowledge.
So how does the scam work? According to Cleaves:”Phones are put together – like a car – on a production line. Sometimes part of that process happens outside the plant. Your top priority is keeping costs low ahead of quality control. So a company like Transsion will turn to an external vendor to load software on to the phone. In the case of Transsion the countries targeted are mostly African where the brand is strong but we’ve also seen malware like this in Asia but the numbers are much smaller.” To spell it out, the external vendor or people who worked for the external vendor were corrupted into pre-installing the malware.
Cleaves said: “Mobile ad fraud is fast becoming an epidemic which, if left unchecked, will throttle mobile advertising, erode trust in operators and leave users saddled with higher bills. A unified approach is needed to raise awareness.”
Based in Shenzhen, China, Transsion Holdings is one of the country’s leading mobile phone manufacturers, selling 124 million mobile phones globally in 2018 according to its own company data. Its handsets are prevalent in emerging markets, especially in Africa, where according to IDC it is the top selling mobile phone manufacturer. Its Tecno, Infinix and Itel brands held a combined 40.6% share in the African smartphone market and a 69.5% share in the feature phone market during the last quarter of 2019. Transsion manufactured handsets can also be found in many Asian countries.
So who are the ‘bad actors’ and where are they from?:”The finger is pointing to China. Unbeknownst to Transsion there has been corruption in their supply chain. These players are often Chinese ad networks and app developers. You can act with impunity in China.”
“This is not an isolated incident. We’ve noticed three cases (including this one) of pre-installed malware software.” The first of these – com.rock.gota (its Android package name) affected phones in Brazil (on Multilaser phones, a local Brazilian brand) and Myanmar (on Smart-branded phones).
In the second incident – involving com.tct.weather – it affected Alcatel A3 Max phones and one user’s device – which he reported as “acting up” - initiated 500 transaction requests over two months. As soon as the device was placed in the “sandbox”, the com.tct.weather application immediately initiated calls to servers that are not related to the application’s main function. The application collects and transfers users’ personal information to servers in China.
The countries affected included Nigeria, South Africa, Egypt, Kuwait and Tunisia. Most customers who complained it identified unwanted charges and their device/ battery overheating (from CPU overuse). Alcatel phones are made by TCL in China.
Africans who buy phones need to be assured that they have some form of protection against this kind of malware, coming pre-installed. Not all phones are bought from mobile operators but they need to take responsibility for ensuring their customers are protected against this kind of scamming.