Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024.
While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to significant escalation where threat actors directly targeting the supply chain of various Chinese manufacturers to preload brand new devices with malicious apps.
“Fraudulent applications were detected directly in the software pre-installed on the phone,” the company said. “In this case, the malicious code was added to the WhatsApp messenger.”
A majority of the compromised devices are said to be low-end phones that mimic well-known premium models from Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of the affected models are manufactured under the SHOWJI brand.
The attackers are said to have used an application to spoof the technical specification displayed on the About Device page, as well as hardware and software information utilities like AIDA64 and CPU-Z, giving users a false impression that the phones are running Android 14 and have improved hardware.
The malicious Android apps are created using an open-source project called LSPatch that allows the trojan, dubbed Shibai, to be injected into otherwise legitimate software. In total, about 40 different applications, like messengers and QR code scanners, are estimated to have been modified in this manner.
In the artifacts analyzed by Doctor Web, the application hijacks the app update process to retrieve an APK file from a server under the attacker’s control and searches for strings in chat conversations that match cryptocurrency wallet address patterns associated with Ethereum or Tron. If found, they are replaced with the adversary’s addresses to reroute transactions.
“In the case of an outgoing message, the compromised device displays the correct address of the victim’s own wallet, while the recipient of the message is shown the address of the fraudsters’ wallet,” Doctor Web said.
“And when an incoming message is received, the sender sees the address of their own wallet; meanwhile, on the victim’s device, the incoming address is replaced with the address of the hackers’ wallet.”
Besides changing the wallet addresses, the malware is also fitted with capabilities to harvest device information, all WhatsApp messages, and .jpg, .png, and .jpeg images from DCIM, Pictures, Alarms, Downloads, Documents, and Screenshots folders to the attacker’s server.
The intention behind this step is to scan the stored images for wallet recovery (aka mnemonic) phrases, allowing the threat actors to gain unauthorized access to victims’ wallets and drain the assets.
It’s not clear who is behind the campaign, although the attackers have been found to leverage about 30 domains to distribute the malicious applications and employ more than 60 command-and-control (C2) servers to manage the operation.
Further analysis of the nearly two dozen cryptocurrency wallets used by the threat actors has revealed that they have received more than $1.6 million over the last two years, indicating that the supply chain compromise has paid off in a big way.
The development comes as Swiss cybersecurity company PRODAFT uncovered a new Android malware family dubbed Gorilla that’s designed to collect sensitive information (e.g., device model, phone numbers, Android version, SIM card details, and installed apps), main persistent access to infected devices, and receive commands from a remote server.
“Written in Kotlin, it primarily focuses on SMS interception and persistent communication with its command-and-control (C2) server,” the company said in an analysis. “Unlike many advanced malware strains, Gorilla does not yet employ obfuscation techniques, indicating that it may still be under active development.”
In recent months, Android apps embedding the FakeApp trojan propagated via Google Play Store have also been found making use of a DNS server to retrieve a configuration that contains a URL to be loaded.
These apps, since removed from the marketplace, impersonate well-known and popular games and apps and come fitted with the ability to receive external commands that can perform various malicious actions like loading unwanted websites or serving phishing windows.
