China-made affordable smartphones secretly stealing money from users

Tecno W2 contain pre-installed thieving malware

Investigations by Secure-D, a mobile security service of anti-fraud company Up-stream found that pre-installed malware called Triada and xHelper are hiding in some China-made affordable smartphone, particularly Tecno W2, and are stealing users’ money by signing them on to paid apps without their consent.

According to the report, thousands of low cost devices made by Chinese manufacturer, Transsion (the manufacturer of Tecno, Infinix and Itel) were found to contain these thieving malware and not even a format of the phone to factory setting is able to get rid of the threat.

Secure-D caught and blocked an unusually large number of transactions coming from Transsion Tecno W2 handsets mainly in Ethiopia, Cameroon, Egypt, South Africa and Ghana, with some fraudulent mobile transaction activity detected in another 14 countries.

Indeed, Tecno W2 has been in Ghana for the past two years, the sole dealer being Mobile Zone.

At least two telecom operators, MTN Ghana and AirtelTigo have partnered Tecno in the launch of some of their handset, but it is not clear if W2 was included. Meanwhile, MTN Rwanda and MTN Uganda were partners in the launch of Tecno W2.

To date, a total of 19.2 million suspicious transactions – which would have secretly signed users up to subscription services without their permission – have been recorded from more than 200,000 unique devices.

Secure-D’s further investigation discovered components of the xHelper and Triada malware preinstalled on 53,000 of Transsion’s Tecno W2 smartphones, a low-cost handset model typically bought by those on a lower income.

Geoffrey Cleaves, Head of Secure-D at Upstream, commented: ‘This particular threat takes advantage of those most vulnerable. The fact that the malware arrives pre-installed on handsets that are bought in their millions by typically low-income households tells you everything you need to know about what the industry is currently up against.’

Based in Shenzhen, China, Transsion Holdings is one of the country’s leading mobile phone manufacturers, selling 124 million mobile phones globally in 2018, according to its own company data.

Its handsets are prevalent in emerging markets, especially in Africa, where according to IDC, it is the top-selling mobile phone manufacturer. Its Tecno, Infinix and Itel brands held a combined 40.6 percent share in the African smartphone market and a 69.5 percent share in the feature phone market during the last quarter of 2019.

In Ghana, Transsion Holding phones, Tecno, Infinix and Itel hold a combined market share of over 40%, which put them in the lead, while Tecno and Infinix are the second and third largest market share holders respectively – only behind Samsung and ahead of Apple.

Transsion Holding phones have biggest market share in Ghana

Transsion manufactured handsets can also be found in many Asian countries.

Triada malware acts as a software backdoor and malware downloader. It installs a trojan (a piece of malicious code designed to look normal) known as ‘xHelper’ onto compromised devices. The xHelper trojan persists across reboots, app removals and even factory resets, making it extremely difficult to deal with even for experienced professionals, let alone the average mobile user.

When exposed to the right environment, for example, a particular phone network, xHelper components can make queries to find new subscription targets and submit fraudulent subscription requests on behalf of the phone’s unsuspecting owner. These requests are automatic – meaning they do not require the phone owner’s permission – and invisible. Had they been successful, they would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.

Secure-D’s investigation found evidence in code and from traffic data to link at least one of the xHelper components (known as ‘com.mufc.umbtts’) to subscription fraud requests via Transsion’s W2 Tecno-branded handset, which runs on Android OS. In the period under investigation Secure-D detected and blocked nearly 800k xHelper suspicious requests from W2 devices.

Google, developers of Android OS, has attributed the presence of the Triada malware to the actions of a malicious supplier somewhere within the supply chain of affected devices. Indeed, Tecno officials in South Africa also made the same claim, even though the malware does not go away after rebooting phone to factory settings.

No signs of Triada malware were found to affect other mobile phone models created by Transsion, apart from Tecno W2.

Geoffrey Cleaves, from Upstream, said: “Transsion traffic accounts for 4% of the users we see in Africa. Yet it contributes over 18% of all the suspicious clicks.”

He added that ‘Mobile ad fraud is fast becoming an epidemic which, if left unchecked, will throttle mobile advertising, erode trust in operators and leave users saddled with higher bills. A unified approach is needed to raise awareness.’

A report published by Upstream at the beginning of 2020 revealed that last year a staggering 93 percent of mobile transactions had been blocked by Secure-D as fraudulent. Over 98,000 malicious Android apps were discovered, as well as 43 million infected devices in 20 different countries. Secure-D currently covers 31 mobile operators across 20 countries.

For a more in-depth look at the state of malware and mobile ad fraud in emerging markets such as Asia and South Africa, readers can access Secure-D’s report, entitled The Invisible Digital Threat.


Please enter your comment!
Please enter your name here