Low-Cost Chinese Androids in Africa Come With “xHelper” Malware Pre-Installed

• A particular ‘Transsion’ phone that is very popular in African markets comes with malware pre-installed.
• The malware is xHelper, a particularly persistent threat that can lead to substantial charges.
• It is unlikely that ‘Transsion’ planted the malware themselves, as it looks like a supply chain compromise.

Upstream researchers report of the suspicious activity they detected on ‘Transsion Tecno W2’ devices, which appear to come with the xHelper/Triada malware pre-installed. This is a particularly nasty piece of malware that has been plaguing the Android world for quite some time now. It is also a persistent threat that is planted in the system partition to stay intact even in the case of a factory reset.

The main purpose of xHelper is to subscribe the user to costly services and perform malicious transactions in the background. The reason why actors plant it in devices is to make money from affiliate cuts.

Secure-D blocked the activities of 53,000 ‘Transsion Tecno W2’ smartphones, which attempted to carry out suspicious transactions, so the issue concerns a low-cost device model that is quite popular in Ethiopia, Cameroon, Egypt, Ghana, Kenya, Nigeria, and in South Africa.

‘Techno Mobile’ is a Shenzhen-based smartphone manufacturer established in 2006, focusing mainly on African and South Asian markets. Their products are nothing special, really, but their aggressive pricing and marketing are helping a lot in putting them inside people’s pockets. After all, there are very few smartphone vendors who can make enough low-end devices available in developing country markets.

Related: Xhelper: Android Dropper Which Infected 45k Devices in Six Months

‘Techno Mobile’ has amazing output capability and sells hundreds of millions of mobile phones each year. Besides ‘Transsion,’ they also use the ‘Tecno,’ ‘Infinix,’ and ‘Itel’ brands, capturing a total of 40.6% of the African market.

Secure-D recorded 19.2 million suspicious transactions coming from 200,000 devices across 14 countries. In a quarter of these, they were able to confirm the presence of xHelper. The researchers clarified that there are no signs of the particular malware strain running on other models of ‘Transsion,’ so this could be a case of limited supply chain compromise.

The company hasn’t provided any official explanations on what may be the case, but it looks like they simply weren’t careful enough with their toolsets. We do not believe that ‘Transsion’ planted xHelper on the ‘Tecno W2’ on purpose, but they have blundered nonetheless.

Low-cost phone makers from China include annoying adware in their devices by default, but at least they are not hiding it in the background. If that was an attempt to test the waters through a single device model, it was a total failure.