Home Technology

Android users are being secretly defrauded by Triada malware – Secure-D warns


By: Editor

Secure-D, a global leading anti-fraud platform that protect mobile transactions, is warning Android device users across the world of an existing and well-known malware called Triada that is secretly defrauding users.

Recently, Secure-D published a report revealing that Tecno W2 in particular had the malware installed in it from factory and even if the user discovers it and formats the handset, the malware does not go away.

It was discovered that the Triada malware, which is usually put in affordable phones, has secretly done over 19.2 million transactions on behalf of phone users without their knowledge and or consent, and more people continue to be defrauded till date.

Below is a full write up from Secure-D on its findings about Triada and how it is secretly robbing Android phone users across emerging markets in particular, including Ghana.

Triada is a well-known and extensively investigated malware that acts as a software backdoor and malware downloader. It installs a trojan (a piece of malicious code designed to look normal) known as “xHelper” onto compromised devices.

It uses top-level device privileges to execute arbitrary malicious code after receiving instructions from a remote command and control server. It then hides inside permanent system components, making it more resilient against attempts to remove it.

Google has also conducted a detailed research on Triada and attributes its existence to actions of a malicious supplier somewhere within the supply chain of affected devices.

Secure-D, has blocked millions of suspicious subscription requests coming from low-end devices made by Transsion, a Chinese manufacturer of affordable smartphones for the African market.

Triggered by another malware that was found on the phones, Secure-D researchers exposed how the Triada/xHelper duo facilitated mobile ad fraud.

Launching the Investigation

Starting in March 2019, Secure-D caught and blocked an unusually large number of transactions coming from Transsion Tecno W2 handsets mainly in Egypt, Ethiopia, South Africa, Cameroon, Ghana with some fraudulent mobile transaction activity detected in another 14 countries.

To date, a total of 19.2m suspicious transactions – which would have secretly signed users up to subscription services without their permission – have been recorded from over 200k unique devices.

Many of the blocked transaction requests originating from actions initiated by com.mufc, an application whose source is unknown and which cannot be downloaded from any Android app store. Almost all transaction attempts coming from these devices during the period were identified as fraudulent.

Having seen a spike in strange behaviour coming from the same source and focused on particular geographies, Secured-D decided to investigate further.

Threat Behavior

Secure-D acquired a selection of Tecno W2 mobile phones, both used from real users and newly purchased, to analyse the nature of the software that caused the fraudulent subscription requests. Analysis was carried out using a combination of device models and firmware versions. Phones were used for different purposes and connected to different types of networks.

The investigation showed that Tecno W2 devices came with Triada-related malware pre-installed. Triada is a well-known and extensively investigated malware that acts as a software backdoor and malware downloader.

As soon as the device was placed in Secure-D’s protected ‘sandbox’ testing environment and connected to the internet, Triada malware would then download a second malware called xHelper.


Secure-D researchers used static and dynamic analysis to locate the applications inside each Tecno W2’s firmware that were causing click fraud. We identified new system libraries that the malware patched in order to compromise other essential applications. These changes made the malware resilient across reboots, attempts at removal, and factory resets.

During the in-depth analysis, Secure-D discovered software that enables Triada, and would download xHelper components that are capable of click/subscription fraud. Through traffic captures we recorded click-fraud campaigns in action.

When xHelper components were found in the right environment and connected to wi-fi or 3G network (e.g. inside a South African network), they made queries to find new subscription targets, and then proceeded to make fraudulent subscription requests.

These happened automatically and without requiring a mobile phone operator’s approval. The investigation found evidence in the code that linked to at least one of the xHelper components (“com.mufc.umbtts”) to subscription fraud requests.

Further investigation to the code of the core umbtts application found strings containing JavaScript code that indicated click fraud and subscription fraud. The app was capable of generating clicks on ad banners in the background and subscribing users to digital services without their knowledge.

The analysis of the captured web-related traffic revealed that the device was accessing several malicious domains that are considered Command & Control servers used by Triada malware authors. None of the internet hosts communicating with the malware was linked to the manufacturer.

Malware Persistence

The Triada/xHelper duo is known for its persistence and for storing malicious components in an undeletable directory.

Having identified that malicious applications such as com.mufc.umbtts were in fact downloaded and not pre-installed, it was time to investigate how they secretly added themselves to each device.

On one device Secure-D researchers uninstalled com.comona.baccom.mufc.umbtts, and com.mufc.firedoor while the phone was kept offline. Approximately 5 minutes later and with no Internet connection, all 3 applications had been automatically re-installed.

The persistency described above forced the investigation to look for on-device cached versions of the malicious APK files. The filesystem was thus searched for files with a size identical to the downloaded files.

The search results showed that the downloaded files were stored under the directory “/data/media/0/.jm” (see Figure below) using the names described in the relevant HTTP transaction.

This directory is ‘administrator access only’. Normal users with no advanced technical skills would have no way to access it or delete it.

This isn’t the first time Secure-D has found low-cost Android smartphones being sold with pre-installed ad fraud malware. Cybercriminals see the devices as easier to compromise and convert into vectors for click fraud.

As many affordable Android phone models are designed with emerging markets in mind, fraudsters can use them to target users who rely on pre-paid mobile credit to make purchases with their phones.

The resulting click fraud can lead to widespread losses and net criminals millions in stolen funds if it isn’t identified and blocked.

Even though Triada is known for some time and various publications have warned about it as a backdoor threat, it remains active till today infecting users’ phone devices and facilitating mobile click fraud.

The Triada investigation conducted by Google concluded that a vendor ‘somewhere in the manufacturing supply chain’ was likely responsible for placing a Triada malware component into the devices’ firmware. It is common that developers and manufacturers are usually unaware of the malware infection. They must be extra careful when choosing third party SDKs and modules, preventing questionable SDKs from sneaking malware into their products.

Consequences on the Users

Secure-D blocked a total of 19.2m suspicious subscription sign-ups between March 2019 to August 2020, coming from over 200k unique Transsion devices across 19 countries. Most of the suspicious activity, which is still on-going, took place in Egypt, Ethiopia, South Africa, Cameroon, and Ghana. In the period under investigation Secure-D detected and blocked nearly 800K xHelper suspicious requests from W2 devices.The persistent xHelper trojan was found on 53K W2 Transsion devices.

A mobile malware uncovered by Secure-D researchers generated fake clicks, attempted fraudulent subscriptions, installed other suspicious apps without user consent. All of these actions happened completely in the background and were invisible to device owners.

Had the subscription attempts been successful, the data services involved would have consumed each user’s pre-paid airtime – the only way to pay for digital products in many emerging markets.

Ad and click fraud are recurring issues affecting everyone in the mobile marketing ecosystem. To avoid falling victim, Android users in particular should check their phone airtime records for unexpected charges and high data usage.

Third-party app stores often have less rigorous approval processes that let malware-prone apps sneak into their listings, but even apps from official sources like Google Play can be compromised. And as we’ve seen in this instance, sometimes the infection is already present when you purchase a new phone.


Ghanabanews is not responsible for the reportage or opinions of contributors published on the website. 

Send your news stories to and via whatsApp on +233243359263


Customer education, alertness are key to MoMo fraud fight – AirtelTigo Money boss


By: Editor

The Director of AirtelTigo Money, Thompson Sakyi has said customer education and alertness, more than anything else, are the key to eliminating mobile money fraud.

Speaking exclusively Techgh24, he said mobile money fraudsters basically use social engineering, which is very dynamic in nature and hard to predict, adding that they target unsuspecting and inquisitive customers, and not the mobile money platform itself.

He believes the primary means of combatting the multi-phase social engineering tactics employed by the fraudsters is the consistent customer education that will keep customers alert to the fraudster tricks.

It would be recalled that mobile money market leader, MTN Mobile Money Limited recently announced that, in addition to regular customer education, it is also investing some US$2.5 million into artificial intelligence to be able to predict and stop mobile money is also investing some US$2.5 million into artificial intelligence to be able to predict and stop mobile money fraudsters.

But Thompson Sakyi said he wonders how such an investment will pan out since social engineering is dynamic and fraudsters would always adopt new tactics once they realize one method had be figured out.

He then asked “if artificial intelligence is efficient in fighting a social engineering phenomenon like mobile money fraud then why are the banks not employing artificial engineering since over 70% of fraud in the financial sector happens in banks and to bank customers?”

The AirtelTigo Money Director said their mobile money platform is very safe and secure from any fraudster activity, but what they have found is that fraudster target customers with tactics such as employment opportunities, scholarships, promotion wins and others, and that is how they get the curious ones.


Thompson Sakyi – Director, AirtelTigo Money

Thompson Sakyi said what AirtelTigo therefore does is to invest in educating their customers about what signposts to look out for to determine if a transaction in fraudulent or genuine.

He said they go to the markets, churches, mosques, schools and other identifiable groups to educate them on daily basis about how to keep fraudster at bay.

Explaining some of way they educate customers, he said “we tell them that if the SMS ID used in sending you the message is not ATMoney then it is not from us and you must either avoid or report it to us by calling 100.

“We also tell them that our Customer Service team will never call you and ask for your mobile money PIN, so if any one calls and asks for your mobile money PIN you should flag it immediately and report to us,” he said.

Thompson Sakyi also said AirtelTigo never calls any customer with any other number than 0260000100, so any call from any other number claiming to be calling from AirtelTigo office is fraudulent and must be flagged and reported.

“When we say flag it, we mean never engage the person – cut the call immediately and report the transaction by calling 100,” he emphasized.


In terms of the arrest of fraudsters, he said in nine out of 10 fraud cases reported, they are unable to get the fraudsters because the customer reported late, adding however that there have been cases where they assisted the police to trace and arrest some fraudsters.

Unfortunately, he said, in some cases the victims preferred the matter to be kept quiet, while in other cases the fraudsters paid back the money after realizing the police was after them, so the victims refused to help in prosecuting the cases further, and the police are forced to discontinue.


The AirtelTigo Money Director their mobile money platform is fully secured against fraud and their customer levels and usage of the platform is growing significantly, even though he stopped short of giving the volume and value of transactions on the platform.

He mentioned that the two key value-added services on the AirtelTigo Money platform – the insurance policy and the pension scheme for the informal sector are growing in leaps and bounds.

Thompson Sakyi said the insurance policy in collaboration with BIMA Insurance has clocked millions of customers over the past six years, while in just two months, the pension scheme on the platform has also attracted over 10,000 users.

“We are proud of these two products because they have given the opportunity to the many unbanked Ghanaians in informal sector to get insurance cover and also to save towards pension in the future,” he said.


Ghanabanews is not responsible for the reportage or opinions of contributors published on the website. 

Send your news stories to and via whatsApp on +233243359263

Samsung sells its LCD plant in China to TCL for $1.8 billion

By: editor

Samsung Display has sold its LCD plant in Suzhou, China, insiders reveal. The main buyer is the local company CSOT which is owned by TCL, the conglomerate that also builds the Alcatel smartphones.

The total deal is worth $1.8 billion – 60% of the plant will be owned by CSOT, 10% by its parent company TCL, while the rest 30% will be handed out to the Suzhou government.

The plant produced 27% of Samsung Display’s total amount of LCD panels, with most of them being for monitors and TVs.

This step is a confirmation to earlier reports that Samsung is trying to discontinue its LCD business and will refocus to quantum dot screens.

The Korea Herald reported that the plant has three 8.5-generation production lines and one 11-generation line, the latter planning to begin manufacturing from early next year.

Interestingly enough, the report also revealed Samsung Display reinvested $723 million into TCL-related companies to acquire 12.33% of their shares.