Cheap Android phones in SA stole airtime due to pre-installed malware – and it could be back

Business Insider SA
Pre-owned Techno W2 handsets for sale
Second-hand Techno W2 handsets for sale in SA.
  • Cheap Android smartphones sold in South Africa stole airtime from their users due to pre-installed malware, a new security analysis says.
  • The phones tried to sign users up to premium services. Even when they failed, they chewed up data in the attempts.
  • Manufacturer Transsion says the security hole was fixed years ago, but security analysts detected suspicious traffic into April.
  • The xHelper malware appears to have gone dormant – but there's no reason to believe it will stay that way.
  • For more stories go to

Cheap Android cellphones sold in South Africa stole airtime from users via pre-installed malware, according to security researchers, invisibly and unstoppably.

The Tecno W2 smartphones – which now sell for a couple of hundred second-hand – were sold already infected by xHelper and Triada, according to an investigation by Upstream, a company that offers security services to mobile networks, and BuzzFeed News.

That means users did not have to be tricked into downloading software, or into providing any security details, or into taking any action.

See also | A weather app was trying to rip off South African users – and may have been stealing their data

The combination of xHelper and Triada are remarkably resistant to being wiped out. Once installed it will not be deleted even with a full factory reset.

In South Africa the malware tried, apparently unsuccessfully, to sign users up for premium-rated services. Even though such efforts failed, the attempts used data, which drained airtime balances.

Users would have no way to detect the activity, other than through dwindling airtime, and the usual advice to stop airtime disappearing, checking for subscribed premium services, would not have worked.

See also | Vodacom clamped down on the ‘content fraud’ that makes airtime disappear – and lost almost half the money it was making from content subscriptions

Affected consumers may have seen a high volume of spam ads on their handsets though; one of the ways Triada tries to make money for its creators is to download apps that inject pop-up ads.

Transsion, the Chinese company that manufactures the Tecno line of phones, said it knew about the malware more than two years ago, and released an over-the-air update to mitigate it in March 2018, with software updates made available for all affected handsets by the end of March that year.

But Upstream unit Secure-D said it had detected attempts to steal airtime by Transsion phones up to at least April 2020, albeit at lower volumes than before, suggesting that unpatched smartphones continued to circulate.

xHelper appears to have gone into a dormant stage, says Secure-D, but there is no reason to believe it will not not be used again.

(Compiled by Phillip de Wet)

Receive a daily update on your cellphone with all our latest news: click here.

Get the best of our site emailed to you daily: click here.

Also from Business Insider South Africa:

Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo