FlagThis - #whatsapp

A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.


References :

• hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
• securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
• The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
• hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

Classification:

• HashTags: #AndroidMalware #CryptoTheft #SupplyChain
• Company: Doctor Web
• Target: Android users
• Product: WhatsApp, Telegram
• Feature: Crypto Clipping
• Malware: Clippers
• Type: Malware
• Severity: Major