Cyber security experts say Africa’s top smartphone brand has sold tens of thousands of phones loaded with malicious software. The phones drain users’ data, sign them up for subscription services without their knowledge, and make them unwilling accomplices in fraudulent ad schemes.
The Triada malware turned up on Chinese-made Tecno W2 smartphones in Ethiopia, Cameroon, Ghana and South Africa, according to a recent report. Traida uses a hard-to-remove program known as x-Helper to do its dirty work, experts say.
In addition to creating fake subscriptions, the malware generates fake clicks on banner ads in the background of sites that made millions of dollars for cyber criminals by defrauding advertisers with fake impressions.
As people conduct more and more business via smartphone, the situation raises questions about the reliability of Chinese-made technology, and the degree to which both may be used to collect personal data and spy on their users.
“The xHelper trojan persists across reboots, app removals and even factory resets, making it extremely difficult to deal with even for experienced professionals, let alone the average mobile user,” mobile technology company Upstream, which has offices in South Africa and Nigeria, said in a statement.
Through its anti-fraud platform Secure-D, Upstream discovered 19.2 million suspicious transactions since March 2019 from more than 200,000 unique devices, most of them sold to low-income people looking for a cheap smartphone.
“As many affordable Android phone models are designed with emerging markets in mind, fraudsters can use them to target users who rely on prepaid mobile credit to make purchases with their phones,” Upstream reported in its analysis.
Tecno’s parent company, Transsion, dominates the low- and middle-cost sectors of Africa’s smartphone markets. It has grown rapidly in recent years and now covers 41% of Africa’s smartphone market. The company has said the malware was loaded after the phones left their factory and has offered a patch to fix the problem.
This is not the first time Africans have found themselves dealing with suspicious behavior by technology originating in China.
In 2017, African Union officials discovered that for five years the servers — made and installed as a gift by the Chinese government — had been transferring reams of data every night from the AU’s headquarters in Addis Ababa, Ethiopia, (built by China in 2012) to servers in Shanghai. By 2018, the AU replaced the servers, refusing China’s offer to help configure them.
This year, the popular Chinese-made app TikTok has been accused of funneling users’ data through China-based servers and cooperating with the Chinese Communist Party (CCP) as part of a global surveillance strategy.
In a posting to Twitter in July, data security experts ProtonMail warned that TikTok created the potential for massive surveillance by Chinese authorities.
“Our take on #TikTok: Beware,” ProtonMail posted. “The social media giant not only collects troves of personal data on you (and sometimes without your consent), but also cooperates with the CCP, extending China’s surveillance and censorship reach beyond its borders.”
TikTok was banned in India in late June along with dozens of other Chinese apps, including the WeChat messenger. The Indian government proclaimed the apps a threat to national sovereignty.
Many Africa nations have been slow to act on cyber security.
A 2018 report by the African Union found that only eight countries reported having a national cyber security strategy. Only 14 had laws protecting citizens’ personal data online. The same report found that African nations were the source of hundreds of thousands of cyber attacks around the globe each year.
In 2014, the AU adopted its Convention on Cyber Security and Personal Data Protection in an effort to build a legal foundation for protecting citizens online. The AU launched its 10-member Cyber Security Expert Group in December 2019 to advise union leaders on how best to address online security threats.
The Expert Group’s chairman Abdul-Hakeem Ajijola of Nigeria said the Tecno security breach is a wake-up call. He does not believe the problems are limited to phones from one country or one manufacturer. Therefore, he said, African nations must develop their own capacity for encryption and data security to protect their citizens.
“Africa must initiate and sustain capacity development of people, processes and technology,” he told ADF in an email. “We must encourage and facilitate the private sector as the prime driver of technology development and deployment while governments ensure fair play, equity and regulatory compliance.”