Cheap Android smartphones manufactured by Chinese companies have been observed preinstalled with trojanized applications posing as WhatsApp and Telegram which contain a cryptocurrency clipper functionality as part of a campaign since June 2024.
Although the use of applications related to malware to steal financial information is not a new phenomenon, the new conclusions of the Doctor of the Russian antivirus supplier point to a significant climbing where threat stakeholders directly targeting the supply chain of various Chinese manufacturers to preload new devices with malware.
“Fraudulent applications have been detected directly in the preinstalled software on the phone”, the company said. “In this case, the malicious code was added to the Whatsapp Messenger.”
The majority of compromise devices would be low -end phones that imitate well -known premium models from Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 Pro and P70 Ultra. At least four of the affected models are made under the Showji brand.
The attackers would have used an application to browse the technical specifications displayed on the page about the device, as well as public hardware and software information services such as AIDA64 and CPU-Z, giving users a false impression that phones are running Android 14 and improved the equipment.
Malventy Android applications are created using an open-source project called Lspatch This allows the Troy, nicknamed Shibai, to be injected into otherwise legitimate software. It is estimated that around 40 different applications, such as messengers and QR code scanners, have been modified in this way.
In the artifacts analyzed by Doctor Web, the application diverts the application process of the application to recover an APK file from a server under the control of the attacker and search for chains in cat conversations that correspond to the model of cryptocurrency portfolio associated with Ethereum or Tron. If they are found, they are replaced by the opponent’s addresses to rebroadcast the transactions.
“In the case of an outgoing message, the compromise device displays the correct address of the victim’s portfolio, while the recipient of the message is displayed the address of the portfolio of fraudsters,” said Doctor Web.
“And when an incoming message is received, the sender sees the address of his own portfolio; meanwhile, on the victim’s device, the incoming address is replaced by the address of the Pirates portfolio.”
In addition to modifying portfolio addresses, malware is also equipped with capabilities to collect devices from the devices, all WhatsApp messages and .jpg, .png and .jpeg images of DCIM, images, alarms, downloads, documents and screen folders to the attacker’s server.
The intention behind this stage is to scan the images stored for the portfolio recovery sentences (mnemonic AKA), allowing threat actors to obtain unauthorized access to victims’ portfolios and empty the assets.
It is not clear which is at the origin of the campaign, although the attackers proved to be taking advantage of around thirty areas to distribute malicious applications and use more than 60 command and control servers (C2) to manage the operation.
A more in-depth analysis of the nearly two dozen cryptocurrency portfolios used by threat actors revealed that they had received more than $ 1.6 million in the past two years, which indicates that the compromise of the supply chain has borne fruit.
Development comes while the Swiss cybersecurity company has discovered a new family of Android malware nicknamed Gorille designed to collect sensitive information (for example, device model, telephone numbers, Android version, SIM details and installed applications), main persistent access to infected devices and reception commands from a remote server.
“Written in Kotlin, he mainly focuses on SMS interception and persistent communication with his command and control server (C2)”, the company said in an analysis. “Unlike many advanced malware strains, the gorilla does not yet use obscure techniques, which indicates that it can always be under active development.”
In recent months, Android applications incorporating fakeapp Trojan propagated via Google Play Store were also find Using a DNS server to recover a configuration that contains an URL to be loaded.
These applications, since deleted from the market, pretend to be well -known and popular games and applications and are equipped with the possibility of receiving external orders which can perform various malicious actions such as loading unwanted websites or phishing windows.
