A disturbing new malware campaign has emerged, exposing cryptocurrency users to major financial risks. Cybersecurity researchers have discovered that several low-cost Android phones manufactured in China come pre-loaded with fake versions of WhatsApp and Telegram, embedded with cryptocurrency-stealing malware.
🛑 Supply Chain Attack: Malicious Apps Installed Before Purchase
According to Doctor Web, a trusted Russian antivirus company, this attack dates back to June 2024 and involves supply chain compromise. Threat actors are infiltrating the manufacturing process of smartphones to install trojanized messaging apps directly into the devices before they reach customers.
📱 Affected Devices Mimic Premium Brands
The campaign mainly targets low-end Chinese Android phones that are designed to mimic premium models from Samsung and Huawei. These include knockoff versions labeled as:
S23 UltraS24 Ultra
Note 13 Pro
P70 Ultra
At least four impacted models are being sold under the SHOWJI brand, raising serious concerns about product authenticity and security.
🧠 Sophisticated Spoofing & Trojan Deployment
To fool users, the attackers deploy an app that fakes the device specifications, manipulating tools like AIDA64 and CPU-Z to make it appear the phone is running Android 14 with high-end specs.
The malware—dubbed “Shibai”—was developed using an open-source tool called LSPatch, enabling attackers to inject malicious code into seemingly legitimate apps. Researchers believe over 40 popular apps, including messaging platforms and QR code scanners, have been modified in this way.
💸 How the Crypto Clipper Works
The trojan is designed to intercept and manipulate cryptocurrency wallet addresses in chats. It targets Ethereum and Tron wallets, replacing the user's wallet address with the attacker's during copy-paste operations—without the victim noticing.
✅ To the sender, the wallet address looks correct.
❌ To the recipient, it appears as the attacker’s wallet.
The malware even hijacks WhatsApp updates to pull malicious APKs from a remote server, maintaining persistent control over the device.
🖼️ Stolen Data Includes Photos, Chats, and Device Info
Beyond wallet manipulation, the malware harvests:
All WhatsApp messagesImages (.jpg, .png, .jpeg) from DCIM, Downloads, Documents, etc.
Device info (model, Android version, etc.)
Its goal? To identify wallet recovery phrases hidden in screenshots or saved images, which can be exploited to drain cryptocurrency accounts.
🌐 Infrastructure and Scale of Operation
While the identity of the group remains unknown, researchers have uncovered:
1. 30+ domains distributing malicious apps2. 60+ command-and-control (C2) servers managing the attack infrastructure
3. At least $1.6 million in stolen cryptocurrency funneled into 20+ wallets
This clearly shows that the campaign is well-funded, large-scale, and profitable.
🐒 Related Threat: New “Gorilla” Malware Found
In parallel, cybersecurity firm PRODAFT has flagged a new Android malware strain called “Gorilla.” Written in Kotlin, Gorilla focuses on:
1. SMS interception2. Collecting device data
Notably, this malware is still in early stages of development and lacks obfuscation, making it easier to analyze—for now.
🎮 Fake Games with “FakeApp” Trojan Also Spotted on Google Play
Adding to the threat landscape, Android apps embedded with the FakeApp trojan were found on Google Play Store, disguised as popular games. These malicious apps used DNS tricks to retrieve remote configurations and execute commands like:
2. Opening unwanted websites
3. Executing remote actions
🛡️ Stay Safe: Tips to Protect Your Crypto & Android Devices
1. Avoid buying phones from unverified sellers—especially low-cost imitations of premium models.2. Scan pre-installed apps using trusted antivirus software.
3. Don’t rely solely on app store reviews—inspect app permissions and monitor for suspicious behavior.
4. Regularly back up your crypto wallets and secure your recovery phrases offline.
5. Enable 2FA (Two-Factor Authentication) wherever possible.
🚨 Final Thoughts
This incident is a stark reminder that cybercriminals are increasingly targeting the hardware supply chain, not just software. As fake Android phones continue to flood the global market, crypto users must remain vigilant and proactive in defending their digital assets.