Cheap Android smartphones mainly from Chinese manufacturers have been found preloaded with trojanized versions of WhatsApp and Telegram. These malicious apps contain clipper malware that targets cryptocurrency users by intercepting clipboard data and swapping wallet addresses. The malware also steals mnemonic phrases from images, hijacks app updates and exfiltrates chat data to numerous C2 servers. Devices like the S23 Ultra have been affected, with some even spoofing hardware specs. Users are strongly advised to install apps from trusted sources and avoid storing sensitive data without encryption.
Since June 2024, Doctor Web researchers discovered that certain low-cost Android phones come preloaded with fake WhatsApp and Telegram apps designed to steal cryptocurrency through clipboard hijacking. These malicious apps automatically replace copied wallet addresses with those belonging to attackers. The campaign targets budget devices that mimic popular models by altering system information to deceive users. Attackers infiltrated the supply chain, embedding malware directly into pre-installed apps. Doctor Web warns that several Chinese smartphone manufacturers were impacted by this supply chain compromise.
Introduction to the Shibai Trojan:
The Shibai trojan is a malicious component embedded within trojanized WhatsApp apps pre-installed on low-cost Android smartphones. Named after the “SHIBAI” string found in its code, the trojan is designed to target cryptocurrency users by stealing wallet addresses and mnemonic recovery phrases. Found on devices from manufacturers like SHOWJI, it takes advantage of the perceived legitimacy of pre-installed apps to execute advanced clipping attacks, mainly targeting Tron and Ethereum wallets.
Targeted Devices and System Spoofing Tactics:
This malware is commonly found on affordable Android smartphones that impersonate premium models such as the SHOWJI S19 Pro, S23 Ultra and Note 13 Pro. These devices often misrepresent technical details—claiming to run Android 14 while actually using Android 12. Apps like AIDA64 and CPU-Z show falsified specs for the CPU and camera, deceiving users with altered system information displayed in the device settings.
How WhatsApp Was Modified for Malware Delivery:
Attackers use the LSPatch tool to tamper with WhatsApp without modifying its core functionality. A malicious module named com.whatsHook.apk is embedded into the app’s assets folder. This module redirects update requests away from official WhatsApp servers to attacker-controlled infrastructure, ensuring the app stays infected with every update. In total, around 40 apps have been compromised this way, including Telegram, QR code scanners and popular crypto wallets like MathWallet and Trust Wallet.
Clipboard Hijacking and Wallet Address Manipulation:
The Shibai trojan employs enhanced clipping techniques to intercept and replace cryptocurrency wallet addresses found in WhatsApp messages. It targets Tron (strings starting with “T”) and Ethereum (strings starting with “0x”) addresses. During communication, the victim sees their original address, but the recipient gets the attacker’s substituted address—or vice versa for incoming messages. If connection with the command-and-control servers is lost, backup wallet addresses are used.
Data Theft and Recovery Phrase Extraction:
Beyond clipping, Shibai steals all WhatsApp chat messages and sends them to attacker-controlled servers in search of sensitive information. It scans common folders such as DCIM, DOWNLOADS, PICTURES, DOCUMENTS, ALARMS and SCREENSHOTS for image files (.jpg, .png, .jpeg) that may contain mnemonic phrases—12 to 24-word sequences used for wallet recovery. These are often stored as screenshots, making them easy targets. Additionally, the trojan collects device metadata and sends it to over 60 C2 servers, while roughly 30 domains are used to distribute the infected apps.
Monetization and Attack Infrastructure:
The Shibai campaign has proven financially lucrative. One of the attacker’s wallets has collected over $1 million, and another holds around $500,000 accumulated over two years. About 20 other wallets each contain up to $100,000. The supporting infrastructure involves more than 60 command-and-control servers and 30 domains. Wallet addresses are regularly updated by attacker servers, making the operation harder to trace and highlighting its large scale and sophistication.
Conclusion:
The Shibai trojan campaign highlights the growing threat of supply chain attacks on low-cost Android devices. By leveraging pre-installed, trojanized apps and sophisticated spoofing techniques, attackers effectively target cryptocurrency users on scale. The operation’s vast infrastructure and financial success underline the urgent need for secure app sourcing and better awareness of mobile device integrity.
The Shibai trojan poses a serious threat to the cryptocurrency ecosystem by silently hijacking transactions and stealing wallet recovery data. Victims may unknowingly lose funds through clipboard manipulation and exposed mnemonic phrases. The campaign undermines trust in low-cost Android smartphones, especially those preloaded with seemingly legitimate apps. It also exposes major supply chain vulnerabilities within lesser-known device manufacturers. With over $1 million already stolen, the financial and reputational impact on users and brands is significant. Furthermore, its advanced infrastructure complicates detection and response, making it a persistent cybersecurity concern.
https://thehackernews.com/2025/04/chinese-android-phones-shipped-with.html
