Hello my dear HackingBlogs hackers,
Every reader should pay close attention to this news since it is serious. Preinstalled on low-cost Chinese Android phones are fake Telegram and WhatsApp apps that are infected with spyware that steals cryptocurrency. These trojanized programs can even scan photos for wallet seed phrases, spoof update links, and steal clipboard data.
The Doctor Web virus laboratory has received a number of reports from our customers who installed Dr.Web Security Space antivirus on their newly purchased Android phones. A scan of the system partition revealed a suspicious application disguised as WhatsApp messenger. During their investigation, our analysts were able to establish that those cases were not a mere blip on the radar. It turned out that they were all part of a campaign to steal cryptocurrency through clipping.
Said Dr Web.
We will briefly explain how this operates, which phone models are impacted, and what you can do to protect yourself in this post.
Introduction – Why This Threat Matters
To verify device specifications with greater certainty, you can use an app called DevCheck. In most cases, this application accurately determines the product specifications, even if the manufacturer is trying to mislead the consumer.
The purpose of these trojanized, non-official apps is to steal cryptocurrency by reading private communications, stealing clipboard data, creating fake wallet addresses, and scanning photos for recovery phrases.
This is a supply chain-level issue, which means that the phones have been infected before they even get to the customer. It is not just a straightforward malware infection. This problem requires your attention if you use or suggest inexpensive Android devices.
Clipping means stealing information by intercepting and/or spoofing data that a user copies to the clipboard. Most commonly, clippers are designed to search the clipboard for strings corresponding to cryptocurrency wallet addresses. On average, such strings contain between 25 and 42 characters. And to avoid any hassle, users typically use standard “copy” and “paste” operations to work with such data. A clipper can take advantage of this by intercepting the contents of the clipboard and discreetly replacing all cryptocurrency wallet addresses with those of the cybercriminals.
What Is Happening?
Doctors Web experts found that trojanized and altered versions of Telegram and WhatsApp were pre-installed on several low-end Chinese phones. The objective? Steal cryptocurrency from users by gathering private data and secretly switching wallet addresses.
LSPatch, a tool that lets attackers insert malicious modules without changing the app’s core code, was used to modify these apps. More than 40 preinstalled programs, including QR scanners and cryptocurrency wallets, are now impacted by the hack.
How the Malware Works
- Clipboard Hijacking: The attacker’s address is quietly substituted for the original address when users copy the address of a cryptocurrency wallet (such as Ethereum, Tron, etc.).
- Message Tampering: The recipient sees the attacker’s wallet address while the victims see their own in outgoing messages. Additionally, incoming addresses are changed.
- Update Hijacking: Rather than using the official server, fake WhatsApp receives updates from the hacker’s.
- File scraping: The malware looks for screenshots of crypto recovery phrases (mnemonics) in files like /DCIM, /Pictures, and /Downloads.
- Data Exfiltration: All conversations, device information, and files are transmitted to servers under the control of the attacker.
Affected Devices
The majority of compromised phones are cheap copies that pose as high-end models, such as the “S23 Ultra,” “Note 13 Pro,” or “P70 Ultra.” Apps like CPU-Z and AIDA64 display fake specifications that have been manipulated by another hidden app.
Infected Model (Dr Web)
- SHOWJI S19 Pro
- SHOWJI Note 13 Pro
- P70 Ultra
- S24 Ultra
- Note 30i
- Camon 20
- M14 Ultra
(many more, mostly under the SHOWJI brand)
Inside the Trojan: Shibai
A debug log found within the code led Doctor Web to name the malware Shibai. It makes use of:
- Using LSPatch to connect to apps
- Payload: com.whatsHook.apk
- Over 60 C2 servers for management
- More than 30 fake domains to provide updates
- Inside low-cost phones is a full-fledged APT-level campaign.
In conclusion, awareness is crucial while interacting with unknown phone manufacturers who offer premium features at remarkably low prices. Always use reliable programs, such as DevCheck, to confirm the hardware’s credibility. Do not download programs from unreliable sites, and make sure a trustworthy antivirus app, like Dr.Web Security Space (not sponsored :), is installed on your phone.
Additionally, never save your recovery phrase as a screenshot or plain text file to protect it. You may significantly reduce the chance of risking your security and privacy by taking these precautions.
