Malicious WhatsApp Found on Budget Android Phones: Cryptocurrency Theft via Clipper Malware

By Ava McKinneyOnline Safety

Malicious WhatsApp Discovered on Budget Android Phones

Security experts from Doctor Web have issued a warning: pre-installed malware has been found on budget Android smartphones that imitate well-known brands. The malicious code is embedded in the WhatsApp messenger and is designed to steal cryptocurrency using a method called “clipping.”

How the Attack Works

This campaign was first noticed last year. Since June 2024, Doctor Web began receiving reports from customers who installed Dr.Web Security Space antivirus on newly purchased Android phones. When scanning the system partition, the antivirus detected a suspicious app disguised as WhatsApp. Further investigation revealed that these incidents were part of a larger cryptocurrency theft campaign.

Clipping refers to stealing information by intercepting or replacing data that a user copies to the clipboard. Clipper malware typically looks for strings in the clipboard that match cryptocurrency wallet addresses, which are usually 25 to 42 characters long. Users often use copy and paste for convenience, but a clipper can intercept the clipboard content and silently replace wallet addresses with those belonging to the attackers.

Compromised Devices and Fake Specs

According to experts, the attackers somehow gained access to the supply chain of several Chinese Android smartphone manufacturers. Complaints were specifically about these devices, which were mostly low-cost models with names similar to popular brands, such as S23 Ultra, Note 13 Pro, and P70 Ultra. However, their technical specs were far from what was advertised. The firmware included a hidden app that could easily alter all displayed technical information about the device, not only in the system menu but also in apps like AIDA64 and CPU-Z.

Despite claiming to run the latest Android 14 in the “About Device” section, all these phones actually operated on the same build of Android 12. The DevCheck app was found to provide more accurate hardware information, even when manufacturers tried to mislead users.

Infected Models

About a third of the infected models were released under the SHOWJI brand. The rest could not be identified. Known affected models include:

  • SHOWJI S19 Pro
  • Note 30i
  • Camon 20
  • SHOWJI Note 13 Pro
  • S23 Ultra
  • P70 Ultra
  • SHOWJI X100S Pro
  • S18 Pro
  • M14 Ultra
  • SHOWJI Reno12 Pro
  • 6 Pro
  • S24 Ultra

How the Malicious WhatsApp Works

The trojanized WhatsApp was created using the LSPatch framework, which allows modification of app behavior by loading additional modules. In this case, a malicious module named com.whatsHook.apk was placed in the assets folder, performing the following functions:

  • Intercepting app updates: Instead of checking for updates from the official WhatsApp site, the app connects to attacker-controlled servers, ensuring the app remains infected and can be updated with new malicious features.
  • Searching for and replacing wallet addresses: The malware scans incoming and outgoing messages for wallet addresses for Tron (34 characters, starting with T) and Ethereum (42 characters, starting with 0x), replacing them with the attackers’ addresses.
  • Stealthy address replacement: The victim sees their own correct wallet address in outgoing messages, but the recipient receives the attacker’s address. For incoming messages, the sender sees their own address, but the victim’s device displays the attacker’s address.
  • Backup addresses: If the malware can’t connect to its command server, it uses hardcoded backup addresses.
  • Message and image theft: All messages sent in WhatsApp are forwarded to the attackers’ server. The malware also searches for and uploads all images in jpg, png, and jpeg formats from folders like DCIM, PICTURES, ALARMS, DOWNLOADS, DOCUMENTS, and SCREENSHOTS. This is to find seed phrases for crypto wallets, which are often stored as screenshots.
  • Device information theft: All device info (manufacturer, model, language settings, and app name) is sent to the command server.

Scale of the Attack

Doctor Web classified this trojan as “Shibai,” referencing the Shiba Inu (SHIB) cryptocurrency. Researchers note that this is a large-scale campaign, with about 40 apps modified in a similar way, including WhatsApp, Telegram, other messengers, QR code scanners, and especially crypto wallet apps like Mathwallet and Trust Wallet. Over 60 command servers and about 30 domains were used to distribute the malware.

Financial analysis revealed that one tracked wallet received over $1 million in two years, another held half a million, and about 20 others contained up to $100,000 each. The full extent of the campaign’s profits is unknown, as wallet addresses are dynamically assigned by the attackers’ servers.

How to Protect Yourself

  • Install security software on your devices.
  • Avoid buying smartphones with specs that seem too good for the price.
  • Only download apps from trusted sources like Google Play, Rustore, and AppGallery.
  • Never store screenshots of seed phrases, passwords, or keys on your device in unencrypted form.

Leave a Reply