Hacking WhatsApp accounts with counterfeit phones is discovered by researchers

Hacking WhatsApp accounts with counterfeit phones is become a very important topic nowadays, So today we will tell you in this blog how this hacking is happening and how to avoid it.

Multiple trojans are targeting WhatsApp and WhatsApp Business messaging apps on budget Android devices that are counterfeit versions of popular smartphone brands. The malware, which Doctor Web first identified in July 2022, was found in at least four different cellphones’ system partitions: the P48pro, Redmi Note 8, Note30u, and Mate40.

The cybersecurity company stated in a report released that “all cases are connected by the fact that the hacked devices were copycats of well-known brand-name products.”

“Further, they had old OS versions installed on them and no current OS information was displayed in their device details (such as Android 10). They used the old 4.4.2 version.”

The tampering specifically affects two files called “/system/lib/libcutils.so” and “/system/lib/libmtd.so,” which have been altered in a way that causes a trojan to run when the libcutils.so system library is utilised by any application.

If WhatsApp and WhatsApp Business are the applications using the libraries, libmtd.so launches a third backdoor, which is primarily responsible for downloading and installing new plugins from a remote server onto the affected devices.

A main danger of the discovered backdoors, namely the modules they download, is that they become a part of the targeted apps,” the researchers explained.

Due to the capability of the downloaded modules, they are able to read conversations, send spam, intercept and listen to phone calls, and perform other malicious acts once they have access to the files of the affected apps.

While libmtd.so is set up to start a local server that accepts connections from a remote or local client via the “mysh” console, should the application using the libraries turn out to be wpa supplicant—a system daemon used to manage network connections—libmtd.so is configured to start a local server in that case.

Based on the discovery of another trojan embedded in the system application responsible for over-the-air (OTA) firmware updates, Doctor Web speculated that the system partition implants might be part of the FakeUpdates (aka SocGholish) malware family.

Through Lua scripts, the rogue app exfiltrates detailed metadata about the infected device and downloads and installs other software without the users’ knowledge.

Purchase mobile devices only from official stores and legitimate distributors to avoid becoming a victim of such malware attacks.

Leave a Reply

Your email address will not be published.