A new malware has been discovered that attacks WhatsApp and, the most curious thing is that this Trojan arrives installed on cheap Android device models and that they are counterfeit versions associated with popular smartphone brands. There are at least four phone models that copy well-known brands and host multiple Trojans designed to attack WhatsApp and WhatsApp Business messaging applications.

The malware has been found on at least four different smartphones: P48pro, radmi note 8, Note30u and Mate40 and affects two files, which are “/system/lib/libcutils.so” and “/system/lib/libmtd.so”. These are modified in such a way that when the libcutils.so system library is used by any app, the execution of a Trojan embedded in libmtd.so is triggered.

If the apps that use the libraries are WhatsApp and WhatsApp Business, libmtd.so proceeds to launch a third backdoor whose main responsibility is to download and install additional plugins from a remote server on compromised devices, according to Doctor Web, the security company that discovered this problem.

What do these Trojans achieve?





this trojan gains access to the files of the attacked apps and can read chats, send spam, intercept and listen to phone calls, and perform other malicious actions, depending on the functionality of the downloaded modules.

The fake app, meanwhile, is designed to leak detailed metadata about the infected device, as well as download and install other software without users’ knowledge via scripts.

“The danger of discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted applications,” they say from the security company. The origin most likely malicious apps discovered on the system partition of the attacked devices could be a member of the Android.FakeUpdates Trojan family, which has been known for many years.

The malicious actors embedded in various system components, such as firmware update softwarethe default configuration application or the component responsible for the graphical interface of the system.