Since June 2024, some cheap Android phones made by Chinese companies have been found with fake versions of WhatsApp and Telegram pre-installed. These trojanized apps are actually hiding malware that can steal cryptocurrency by changing wallet addresses copied to the clipboard.
According to Russian antivirus company Doctor Web, this is more serious than usual because hackers are now attacking the phone’s supply chain. That means the malware is being added before it even reaches the customer.
Doctor Web said that the fake apps were already a part of the phone’s software when people bought them, and in some cases, the harmful code was built right into WhatsApp itself.
A majority of compromised devices are cheap models that try to look like expensive phones from big brands. A brand called SHOWJI has manufactured at least four of these phones.
Hackers are using a trick to change what the phone shows on the “About Device” page as well as hardware and software and are also fooling apps like AIDA64 and CPU-Z. This makes it seem like a phone is running the latest Android 14 and has better hardware than it really does. These malicious apps are made using a tool called LSPatch that allows trojan, called “Shibai,” into legitimate software. Around 40 apps, including messaging apps and QR code scanners, were modified this way to secretly include the malware.
Doctor Web found that the fake apps hijack the normal app update process to secretly download APK files from a server controlled by hackers. These apps then look through chat messages for cryptocurrency wallet addresses, especially Ethereum or Tron.
If they find a wallet address, they swap it with the hacker’s wallet address to steal money.
Here’s how the trick works:
- If you send someone your wallet address, your phone shows it correctly to you, but the person receiving it sees the hacker’s wallet address instead.
- If someone sends you their wallet address, they see their real address, but your phone secretly changes it to the hacker’s wallet address.
So, in both cases, if you try to send or receive crypto, the money could end up going to the hackers instead.
Besides changing your crypto wallet address, the malware can also steal other personal info from your phone. It can:
- Collect details about your device
- Read all your WhatsApp messages
- Copy image files (.jpg, .png, .jpeg) from folders like DCIM, Picture, Downloads, Screenshots, and more
The reason it takes your picture is to look for wallet recovery phrases (also called mnemonic phrases) which are special words that can be used to access your cryptocurrency wallet. If the hackers find them, they can break into your wallet and steal your money.
No one exactly knows who is behind this attack yet, but the hackers are using about 30 websites to spread fake apps and over 60 servers to control the infected phones.
Researchers found that the hackers behind this attack have used about 20 crypto wallets and received over $1.6 million in the past two years. It shows their plan to infect phones during the manufacturing process has been very successful.
At the same time, a cybersecurity company from Switzerland called PRODAFT has discovered a new Android malware called “Gorilla.” This malware is made to steal personal info like phone model, phone number, android version, SIM card info, and list of apps installed. It can also keep control of the infected device and follow instructions from a remote server.
The malware is written in a programming language called Kotlin and mainly focuses on reading text messages (SMS) and staying in constant contact with the hacker’s server. Right now, it doesn’t try to hide itself very well, which suggests the hackers are still working on improving it.
In the past few months, some Android apps with a hidden trojan called FakeApp were found on the Google Play Store. These apps use a special DNS server to get instructions from the hackers, including a link to a website they want to open.
The apps pretend to be popular games or well-known apps, but they are actually dangerous. Once installed, they could receive commands from the hackers to do activities like:
- Open wanted websites
- Show fake login screens to steal your information or serve phishing windows.
These harmful apps have now been removed from the Play Store.
