Android Phones Preloaded with Trojanized WhatsApp Target User Crypto Wallets
Cheap Android smartphones mainly from Chinese manufacturers have been found preloaded with trojanized versions of WhatsApp and Telegram. These malicious apps contain clipper malware that targets cryptocurrency users by intercepting clipboard data and swapping wallet addresses. The malware also steals mnemonic phrases from images, hijacks app updates and exfiltrates chat data to numerous C2 servers. Devices like the S23 Ultra have been affected, with some even spoofing hardware specs. Users are strongly advised to install apps from trusted sources and avoid storing sensitive data without encryption.
Technical Description
Since June 2024, Doctor Web researchers discovered that certain low-cost Android phones come preloaded with fake WhatsApp and Telegram apps designed to steal cryptocurrency through clipboard hijacking. These malicious apps automatically replace copied wallet addresses with those belonging to attackers. The campaign targets budget devices that mimic popular models by altering system information to deceive users. Attackers infiltrated the supply chain, embedding malware directly into pre-installed apps. Doctor Web warns that several Chinese smartphone manufacturers were impacted by this supply chain compromise.
Introduction to the Shibai Trojan:
The Shibai trojan is a malicious component embedded within trojanized WhatsApp apps pre-installed on low-cost Android smartphones. Named after the “SHIBAI” string found in its code, the trojan is designed to target cryptocurrency users by stealing wallet addresses and mnemonic recovery phrases. Found on devices from manufacturers like SHOWJI, it takes advantage of the perceived legitimacy of pre-installed apps to execute advanced clipping attacks, mainly targeting Tron and Ethereum wallets.
Targeted Devices and System Spoofing Tactics:
This malware is commonly found on affordable Android smartphones that impersonate premium models such as the SHOWJI S19 Pro, S23 Ultra and Note 13 Pro. These devices often misrepresent technical details—claiming to run Android 14 while actually using Android 12. Apps like AIDA64 and CPU-Z show falsified specs for the CPU and camera, deceiving users with altered system information displayed in the device settings.
How WhatsApp Was Modified for Malware Delivery:
Attackers use the LSPatch tool to tamper with WhatsApp without modifying its core functionality. A malicious module named com.whatsHook.apk is embedded into the app’s assets folder. This module redirects update requests away from official WhatsApp servers to attacker-controlled infrastructure, ensuring the app stays infected with every update. In total, around 40 apps have been compromised this way, including Telegram, QR code scanners and popular crypto wallets like MathWallet and Trust Wallet.
Clipboard Hijacking and Wallet Address Manipulation:
The Shibai trojan employs enhanced clipping techniques to intercept and replace cryptocurrency wallet addresses found in WhatsApp messages. It targets Tron (strings starting with “T”) and Ethereum (strings starting with “0x”) addresses. During communication, the victim sees their original address, but the recipient gets the attacker’s substituted address—or vice versa for incoming messages. If connection with the command-and-control servers is lost, backup wallet addresses are used.
Data Theft and Recovery Phrase Extraction:
Beyond clipping, Shibai steals all WhatsApp chat messages and sends them to attacker-controlled servers in search of sensitive information. It scans common folders such as DCIM, DOWNLOADS, PICTURES, DOCUMENTS, ALARMS and SCREENSHOTS for image files (.jpg, .png, .jpeg) that may contain mnemonic phrases—12 to 24-word sequences used for wallet recovery. These are often stored as screenshots, making them easy targets. Additionally, the trojan collects device metadata and sends it to over 60 C2 servers, while roughly 30 domains are used to distribute the infected apps.
Monetization and Attack Infrastructure:
The Shibai campaign has proven financially lucrative. One of the attacker’s wallets has collected over $1 million, and another holds around $500,000 accumulated over two years. About 20 other wallets each contain up to $100,000. The supporting infrastructure involves more than 60 command-and-control servers and 30 domains. Wallet addresses are regularly updated by attacker servers, making the operation harder to trace and highlighting its large scale and sophistication.
Conclusion:
The Shibai trojan campaign highlights the growing threat of supply chain attacks on low-cost Android devices. By leveraging pre-installed, trojanized apps and sophisticated spoofing techniques, attackers effectively target cryptocurrency users on scale. The operation’s vast infrastructure and financial success underline the urgent need for secure app sourcing and better awareness of mobile device integrity.
Impact
The Shibai trojan poses a serious threat to the cryptocurrency ecosystem by silently hijacking transactions and stealing wallet recovery data. Victims may unknowingly lose funds through clipboard manipulation and exposed mnemonic phrases. The campaign undermines trust in low-cost Android smartphones, especially those preloaded with seemingly legitimate apps. It also exposes major supply chain vulnerabilities within lesser-known device manufacturers. With over $1 million already stolen, the financial and reputational impact on users and brands is significant. Furthermore, its advanced infrastructure complicates detection and response, making it a persistent cybersecurity concern.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Defense Evasion, Discovery |
| Technique Name | Defense Evasion: Obfuscated Files or Information, Masquerading
Discovery: System Information Discovery |
| Sub Technique Name | Defense Evasion - Obfuscated Files or Information: Software Packing |
| Attack Type | Malware |
| Targeted Applications | Generic , Telegram , WhatsApp |
| Region Impacted | Global |
| Industry Impacted | Financial services |
| IOC’s | Hash
sha256 : 0e8dfd5a06e0e5d65a83ff894f8f2ed44614011ffa9434d691391a6e25e4a5a8 , ebbb3a16482056fa4dee55be9ac67220a0ae0be035dbde762d832dc84342f479 , 53b41f28f521945e3f8e1bb13f7221f107f79d61f49a2c4d053a7004199d8677 , 85c63275611d2407f9888157c51ec96f8996caac3691e56f74820197f49767c3 , a8da272657006551564494e7fad888191f33470305398fc60a3f8bef015fbbab , 7c0f90f6705717d14f89e43fefb87994c2e5da974a2e0176b0bd6400cbb753cc , 825b652aea6c74e2492cbb4fcb63e9fe4e2d6bf69c1ae47527c044b9551c5d97 ,01b18b757a716519edc1c1e1fd9cddd24c7202c6956b3eae3c8a50718657dc54 , 8055d16766ae40053c27565acedbb485e7b45658d3418086b7170457cfe8d368 , f774a3cb331fe885e10a3755c71e2c7a5720cfae18baf41a8779c21fc19ce16d , 1bea59c9f9b87d9eb3aa27698836a19d4731e100706dc6230ce37284679672b8 , e1f69f006bf1b71739a9a51a06261bd21d161e5a9ed900d99c3c67e549b57a4f , f56a400dd6a7923251ee6c9a7e95a53c5dae69f255ef0443a8922de253be9848 , a503a8aa5f19fe8fe68b07b25b5ff0547682aa14dcf08ea656bc2f2d28a774ef , fe52303a550cbac9c080c64d83635c3c6149cc40f03fd6bfb42b8d24353efada , 6aec43e1df14e214fe1304e36c49b33fe407ba8538cbacca96fdcc92cbdf868b , 6d43e6630207474ae 6d993309be712f9d70c56f8283d8cc134d2e3dc61f92ece , 9c6091a8c6379d2189 e246feb37e0744decf611aecfcbf9213ec1ea21a4cdf60 , e7ef3b886db7df4b032f4 e5009d0cd4416bd26678229919a7e154a41e809bc9d , 113f3e0a2c7d3c6192de8 180383da85e95c4ece8647c430be62608fc6c8c83a6 , 09c162a000a5724e7f5ce 14e202b396864dcce2f5287ce1d1f30ca2a0cb53ff7 , b453649085ec632d067802 1a9af76804643328c3325ac6ba323f07f9fe70a09e , 60ed890b07b92e00050aea6 258a405e8c3a59d3fa93c69c485aacb202a5e0b28 , 08bb34fcda945a12f981c3e0 1124e6c4d6a89dca809f5fca256007e1dadec436 , eab6252e6dc6e3579f4c12fe3 8163a6aa01fca9e71d3f05b9023db26960468a6 , 6ac2da3da614ed9d2b833fc3b 3bca5ca90741630ca70d739687604a537446937 , 77dce07e22af76c32fc0500c6 148964fcea9bf1e93b16eafb2edc5521f7c1ddd , 11ae46f6207fa80dc9a49eec5c2 91395586e506952f38a772bdc22218d7e2a41 , 3ca39fa64ee3d51321ec795019b 95d7ab98035c217b2602a96dbcd62026a7e04 , ebcec9c32d6d8b5f83b4e98405c fe31b7816022574205dea289d4f8ac27f9dc8 ,2375049af03fa58d9ffa67df2bc41d cb39aeedfa26eca23b3832eb7906ab2f6f , a1b4c4b6c405c06bc7fbb59c08c90cbf b28443020ed74689240e0c8e03315f76 , 0ac38bf72b21263f5bb3547226342ff40 5395f32a180ef02d10fa2b158d3e345 , 71bc42fe9d521b35b8a4380ebe1e3d8eaf d9f08036a29e4db46334575df43b8d , b4bac8fe62066437760552033bc0d33562 7c84c2eff8a9299fd1f57484e4d09b ,4b0bf07a8ce1727b77c923111cdceac7129fa 9bb29532c7ddd06bddc36da6b35 , ebeee8b68937651d782082da6185a892f1a0 57010b02442729637ffd9235d67f , 686eddfc03387ab7ccaa6ae0e02c0a1977c24 2c680d495fccc5b1c124440f650 , f8b2d4b98cfcd52f9e4bd0ef34ecd72a1c5a228 4fa42f6f3b7f45098e9a0b405 , bbe215863d48c573f7c9a7ecbf30ae4f4eece2ebe 54fcf74a9fee7173568ed23 , 2ca4455e1da346b5d7e562e781e295f887c3d94190 15fb14dce1ef4af81de89e , 1dd3415ab07ffd456bd3c96825cc9614903e466e293 eb1a17fa6d99f7435dec4 , c8657056de30426d8ff8c6de786907a398c78ea4d1d3 e830642f54f3ba684c38 , 6ce354bdf235cfd748886036286f152d7009f4e7a5eb84 1f36510cf35655640f , 4f3a93931bdf44167c22bef42b9ae0045fd57098e6299ca9 dff08c8c552812d1 , a273eb811fca9ca1e837c772433592e2ccdcdd0fea4a1091d 37d5005e65ee5f6 , 6566beebd6c8771147763b65e5bdcebad09c3d813a6932b9 13d542cf939dbe9c , 097f9be249c9883d7c5ccb22299431d8bc79609b27c3323b 03441e6882233f59 , 03232aaf7864d0d425e7d4e7d8014c415bbca28faf0ba8c07 2042d49ac32eef4 ,6e3549b23e2f6eb895cfe9116446d51f2cad009278294932c0f 2857f5c69ca3b , 601798b312869788a6c337f4775e2b40353af56c84df32c0a228 33d06fde5f4b , 3783513f15d0e41de2d21fcd941965ff0a650a377448fe5731590a 8afea636ee , 543e2a03a906291018c74b8b7cebcfca68e00d391a6b20f21e4058 0682b47c18 , 0660eae66d86849568bd28beda92529738b5dfe64b72494665d9d 33609450c39 , 28d394af4aadebf0866ecc02038ab648af832433bd26b74481a9c 1f679f062c8 , 66e33e2ffbdfa46e5d8dee6ed7a4eecc0ad6b6a553bb4403e12ec8 416ea8d0b8 , 1757ea393566d8ba5d13a89783c249690d7ae8d5eb3be5a2153b9 74563d51757 , 3b33bdc8bd16020769f01290788808d5a615da27ea07c9c6d42e 0a71eb4d45ee , fc65c331ae8397e4c2c3059aff82477466528fb3049cc1c70ace3 2c9c3e781c8 , 3d1595626c36e0066c9dd368e7e4cc1aa6d5af605fa53f9980bc73 46c40c57cb , 8da17e000061fd31105a8710ace4ce6b1f6334cba9a2fd89ce24151 574b1924c , 17d0639fb743ba31df966880c521e4ab45e333d45653e4573ac0ecf 671b79cf5 , cdd372e0cd9aa820c76bc40a0bc3b352527dd9e155d9e5fbf31837d1 9e35f679 , 767a7e67aa3b734249a0ccac1ef4f78a8ebc4c7d1587fc46e61f5e9661 40c4ac , f91091978d30640418d024d5d0a0aeac4e30593d2b76d9bc84633fbadb 7fbb30 ,fee43dfb2fec49f22cf9d59a104b3e51e25c92348a5c9ce5bc4474854ffebf f2 , 2118694a119b8af7fa64cbdb5edf94e755250d0b02c148e3e4517af59c3fc864 , b6dab5ce63e27789852c9fe8f05c674e6c557560c86ec78bce052834ca9050c1 , c6db9ee882c0901cba75c93403cc420a293867c326e3dedcd20fcd1d998d4060 , 635360840f6a2d0077d3f7572898fb10957b1db5e0f36cfdde13ff5c474eac81 , f61e64fe65002d26ac57dbe1d7f82c8cbfaf9e8d643453068ce07f071421c357 , 6280a9da842b6255e6722822aee5de10ba900d77cc59e70e30caf88523dc3f82 , b61b027e36fe96c6bbc59e4f5f18fb54cdb8e8a1cad63ddaa4af7892324349a9 , a2d30148b04fb96f08c5965a3643fbcc62253d6ace3db7d73e1a52ca8345da1b , eddd258b06c3ee1332c1eef7d20f8ec07017a0b531a00950f3824497557b93e7 , d29d42297c943f7f618d15781167c6ab42e29293589e7fa86c93180e8f7b52eb , b0f55e2695e71697353d494d1708d2dd56cfdaa356ce2065896850eb537de588 , 86c3e3d9edc90e177d022d9693be779e5398201f47bae53cabdaaa2232d97112 , fbb8d4a58a40de45b3178b7cbe580e7c601e8542dac45f8d2d95415d5ba4c86e , 2c973ac4e224e1110d86175eec9e82844c69c3c598e472de99d08f518c7bf943 , 9a8e8b84bdc618fac50ecc33fce4d6efb2b93ff3f50fd584f230a811ec396a6c , 7245f6a55eb76963dcb28054b50070e3c75e50b3c03bd2fcbf2eb33eda09ae92 , 96cf16eab707bfe28400b94da2a48078de47c5ec361422978323f2a6429d7288 , acad7947d399517814e67bebbfbd6084406ad9e936a00bfc2ae893d0cf6a2b2e , b8bf3c4acc403197bafeab9a72a07160b63775bda38619776aac0023bb9ac630 , f1bbf162f980c04ef034986695cacb2b09343ec29efbc4637b6dd9df111e191f , ef971bda34ba2425523d5a5e98769397b8c01a117c85b79bad8170c14737a509 , 0d69a69e24efdaef3c042dd026e12c511b64a314565ae4187284c5eb4bf29dea , 320583ca69984b5e30fa85888ce630401455acab2ed19796116f892017c12cdc , 32614ba343e59e32e2bba50eccb0432de60634eaa57ebf03ab4e30ea1646ac9f , 665174dfe58837fa4d5e19792caceba7db236c92f326d3d57302dbf0c73e1e67 , 5966377d70969ad1af728307a6594de4a570c20c120258ab0f2fde1c0c515fca , 41f9e76b18337f2271c82602fe9e9c1d5765e4ab24aa612ea6ad2647b6aa00fe , 78625bec3fe0101fd7ec0e3e3f007e2780bdaea4e5683ceff7fd9b96ef45bb2e , ad7e5b760b6fcad4aa91e30b42daa282ccf64fb859e62cb75014d22d1ab9059f , cf955b81396f7b5f8d6d3d3768fd050a1188fd8456105c7f8100dfe50a6520d5 Domain: aa1232211[.]com , tgup1988[.]com , cloudchat-dl[.]com , aicoin-app[.]co , chaojiqianht[.]com , chun2021[.]com , mathwallet-apk[.]com , qchbcy4t[.]com , signal-apk[.]com , baituo16a[.]com , 10hao11-15[.]com , icomecome-apk[.]com , v0jxxzyo[.]com , tronlink-apk[.]net , imapi04[.]com , cmcjk13[.]com , dd1aw3xx[.]com , ffghj10[.]com , wtnt7lpc[.]com , kwcmceyy[.]com , huione[.]im , v8bextm[.]com, 2h5add[.]com , whatapwr[.]com , 1h9pic[.]com , tuite13041[.]com , tradingview[.]im , rombna74[.]com , nxhc7nqh[.]com , com[.]mathwallet[.]android , fbadd001[.]com , feizhouht[.]com , 2h5pic[.]com , ethereumdf[.]com , com[.]coinmarketcap[.]android , trustwallet-apk[.]net , 14haofeijijk[.]com , coinmarketcap-apk[.]com , 14haofeijiht[.]com , com[.]bintiger[.]mall[.]android , imtoken-apk[.]co , 14hjiekou[.]com , snapseed-apk[.]com , letstalkapk[.]com , imgokoo-apk[.]com , t7xkyjzh[.]com , expassvpn[.]com , feixiaohao-download[.]net , sinadd1[.]com , jinsecaijing[.]vi p , org[.]tel41[.]me , com[.]wemart[.]mobile , tgadd0002[.]com , wsadd001[.]com ,mxvzlcbf[.]com , bn-download4[.]com , org[.]cloudchat[.]messengernew[.]cn , line-apk[.]org , batchat-apk[.]com , caoliao[.]co , canadaht[.]com , 81w75ym[.]com ,wspic001[.]com , ltkddsqwx[.]com , com[.]twitter[.]android , 20hout[.]com , itokenapk[.]com , whatappic[.]com , wemart-apk[.]com , bfpic1[.]com , sinpic1[.]com , bt ok-app[.]org , xiatian2021[.]com , ledger-apk[.]com , tokentrad[.]net , jp[.]nvaer[.]line[.]android , fbpic001[.]com , apk-download[.]pro , yyzspeed[.]com , mathwalletapp[.]com , ouyi-apk[.]com , wjkpi18[.]com , tradingview-app[.]im , 2ezj9i7k[.]com, org[.]tel28[.]me , im[.]t5011[.]app , 9pic001[.]com , wjkwr18[.]com , 10dddssjk[.]com , jinse16a[.]com , fj1h9qdpic[.]com , wrnwp2ke[.]com , bfadd1[.]com , telegra mapk[.]pro , 14walletapi[.]com , cc1232211[.]com , ws-app[.]org , whatsdownloadapp[.]com , 1h9add[.]com , tokenpocket-app[.]net , wenchao16a[.]com , hw16001[.]com , org[.]te16067[.]me , potato-apk[.]com , tgpic0001[.]com , exquickvpn[.]com , e-gets-app[.]com , com[.]jinse[.]app , tppic01[.]com , fj1h9qd[.]com |
| CVE | NA |
Recommended Actions
- Use Reliable Antivirus Software: Install trusted antivirus solutions on Android devices to detect and eliminate trojanized apps effectively.
- Check Device Authenticity: Use tools like DevCheck to verify actual device specifications and identify spoofed hardware on budget smartphones.
- Download Apps from Official Sources: Only install apps from trusted platforms such as Google Play, RuStore, or AppGallery to reduce the risk of malware.
- Avoid Storing Sensitive Data on Device: Refrain from saving unencrypted screenshots of mnemonic phrases, passwords, or private keys on your phone.
- Monitor for Suspicious Activity: Stay alert to unusual app updates, unexpected redirects, or background activity and investigate any irregular behavior promptly.
- Secure Your Wallet Information: Keep mnemonic phrases stored offline or use encrypted storage solutions to prevent theft through image scanning.