Chinese Android phones that target cryptocurrency users with phony Telegram and WhatsApp apps

Cheap Android smartphones from certain Chinese manufacturers have been discovered with harmful apps pre-installed. These apps pretend to be WhatsApp and Telegram but are actually something called a "cryptocurrency clipper." This issue has been ongoing since June 2024.

Using malicious apps to steal financial data isn't new, but a Russian antivirus company, Doctor Web, found something more serious. Hackers are now directly targeting the phone manufacturers. They manage to install these harmful apps on new devices straight from the factory.

These fake apps were identified directly in the phone's software, as reported by Doctor Web. Even the popular WhatsApp app had malicious code added to it.

Most of the affected devices are inexpensive phones that imitate popular Samsung and Huawei models, with names like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of these models are from the SHOWJI brand.

Hackers deceive users by showing fake technical specifications on the "About Device" page and in apps like AIDA64 and CPU-Z. This gives the false impression that the phones are running the newest Android version and have upgraded hardware.

These harmful Android apps were created using a tool named LSPatch, which lets bad code called Shibai be inserted into otherwise legitimate software. Around 40 different apps, such as messaging apps and QR code scanners, have been tampered with in this way.

Doctor Web’s analysis found that the malicious apps hijack the app update process. They download an APK file from a hacker-controlled server and search through chat messages for patterns resembling cryptocurrency addresses (such as Ethereum or Tron). If they find one, they switch it with the hacker's address, diverting the transaction.

Doctor Web explained that when a message is sent, the fake app shows the sender's correct wallet address, but the recipient sees the hacker's wallet address. Similarly, when a message is received, the sender sees their own address, but the victim’s device shows the hacker's address.

In addition to altering addresses, the malware also gathers device information, all WhatsApp messages, and images from folders like DCIM, Pictures, Alarms, Downloads, Documents, and Screenshots. This data is sent to the hacker's server. The goal is to find recovery phrases for wallets, allowing unauthorized access and theft of funds.

The identity of those behind the campaign remains unknown, but about 30 domains are used to distribute the malicious apps, and more than 60 servers manage the operation.

Further investigation into cryptocurrency wallets used by the hackers revealed that they received over $1.6 million in the last two years, showing that their scheme was quite successful.

At the same time, a Swiss cybersecurity company named PRODAFT identified a new Android malware called Gorilla. This malware is designed to collect sensitive phone information, maintain persistent access, and receive instructions from a remote server.

Gorilla malware, as explained by PRODAFT, is coded in Kotlin and mainly focuses on intercepting SMS messages and continuous communication with its command-and-control server. Unlike many advanced malware types, Gorilla doesn't yet use techniques to hide its code, suggesting ongoing development.

Recently, some Android apps containing the FakeApp trojan appeared on the Google Play Store. These apps pose as recognized games and apps but can execute harmful actions like opening unwanted websites or displaying phishing windows upon receiving external commands. They have now been removed from the store.