A recent report by anti-fraud firm Upstream revealed that malicious code was found on thousands of phones sold by Transsion, the parent company to TECNO.
Secure-D, Upstream’s full stack anti-fraud platform discovered pre-installed malware signing mobile users up to subscription services without their permission on thousands of low cost TECNO devices.
The platform reportedly caught and blocked an unusually large number of transactions coming from Transsion TECNO W2 handsets mainly in Ethiopia, Cameroon, Egypt, Ghana, and South Africa, with some fraudulent mobile transaction activity detected in another 14 countries.
To date, a total of 19.2m suspicious transactions which would have secretly signed users up to subscription services without their permission have been recorded from over 200k unique devices.
“This particular threat takes advantage of those most vulnerable. The fact that the malware arrives pre-installed on handsets that are bought in their millions by typically low-income households tells you everything you need to know about what the industry is currently up against.”commented Geoffrey Cleaves, Head of Secure-D at Upstream.
Triada malware acts as a software backdoor and malware downloader. It installs a trojan (a piece of malicious code designed to look normal) known as “xHelper” onto compromised devices. The xHelper trojan persists across reboots, app removals and even factory resets, making it extremely difficult to deal with even for experienced professionals, let alone the average mobile user. When exposed to the right environment, for example, a particular phone network, xHelper components can make queries to find new subscription targets and submit fraudulent subscription requests on behalf of the phone’s unsuspecting owner. These requests are automatic – meaning they do not require the phone owner’s permission – and invisible. Had they been successful, they would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.
In a statement sent to the Nigerian tech news website Silicon Nigeria on Tuesday, TECNO claimed that the Triada malware was first discovered in April 2018 and since then the company distributed a patch that customers could use to remove the program.
The company added that if customers ran any system updates on their phones since 2018, then that would have eliminated the problem. For those who haven’t yet done so the company advised: “For current W2 users facing Triada issue presently, we advise that they download the [over the air] fix on their phone for installation, or contact TECNO’s after-sales service support for assistance.”
Interestingly, the statement made no mention of the xHelper malware program that Secure-D also discovered on Tecno’s W2 phones.