Cyber Blog

A new supply chain attack targeting budget Android smartphones has been uncovered, involving pre-installed, trojanized versions of WhatsApp and Telegram designed to hijack cryptocurrency transactions.

According to cybersecurity researchers at Russian antivirus firm Doctor Web, the campaign—active since June 2024—involves Chinese-manufactured Android devices shipped with malicious apps disguised as popular messengers, containing crypto-clipping malware to steal users’ funds.

“Fraudulent applications were detected directly in the software pre-installed on the phone,” the company stated, noting that malicious code had been embedded directly into WhatsApp’s interface.

The affected devices are primarily low-cost knockoffs of premium brands like Samsung and Huawei, featuring deceptive model names such as S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four models under the SHOWJI brand have been confirmed as impacted.

Threat actors also used spoofing tools to falsify system specifications shown in the phone’s settings, misleading users into believing they were running Android 14 with enhanced hardware features. Applications such as AIDA64 and CPU-Z were also tricked to reinforce the fake specs.

The malware-laced apps were built using the open-source LSPatch project, allowing attackers to inject a trojan—dubbed Shibai—into otherwise legitimate software. Over 40 different apps, including messengers and utility tools like QR scanners, are believed to be altered in this way.

The malware modifies the app update process to download APK files from attacker-controlled servers and monitors chat messages for cryptocurrency wallet addresses (particularly Ethereum and Tron). When such addresses are detected, they are stealthily replaced with wallet addresses controlled by the attacker.

Victims see their own wallet addresses, while recipients and senders are shown the attackers’ addresses—enabling undetected redirection of crypto transfers.

In addition to address replacement, the malware is capable of:

• Harvesting device metadata
• Exfiltrating WhatsApp messages
• Uploading image files (.jpg, .png, .jpeg) from key folders like DCIM, Downloads, and Screenshots

This latter step likely aims to locate mnemonic recovery phrases stored in image form, enabling complete access to victims’ crypto wallets.

Doctor Web identified over 30 domains used for malware distribution and more than 60 command-and-control (C2) servers supporting the campaign. Analysis of nearly two dozen attacker-controlled cryptocurrency wallets shows they’ve collected more than $1.6 million in stolen funds over two years.

The discovery comes alongside another report from Swiss cybersecurity firm PRODAFT, which recently disclosed a new Android malware family named Gorilla. Written in Kotlin, Gorilla is designed to steal sensitive data (e.g., phone numbers, SIM details, device info), maintain persistence, and accept remote commands. It primarily focuses on SMS interception and is believed to be in early stages of development, as it lacks code obfuscation.

Additionally, FakeApp trojans have resurfaced in Google Play Store apps posing as games or utilities. These apps used a remote DNS server to dynamically retrieve URLs and execute malicious actions, such as phishing attacks and forced website redirects. Though these apps have since been removed, the tactic underscores the evolving nature of mobile threats.

The campaign highlights a dangerous evolution in supply chain attacks—where threat actors compromise smartphones before they even reach users’ hands. With malware now baked into the firmware of budget devices, and cryptocurrency increasingly in the crosshairs, users and organizations alike must be vigilant when sourcing mobile hardware and installing third-party applications.