Cybersecurity researchers at Dr.Web have uncovered a sophisticated malware campaign targeting cryptocurrency users through counterfeit budget smartphones. The operation involves compromised devices with pre-installed malicious versions of WhatsApp, designed to intercept and manipulate cryptocurrency transactions through clipboard manipulation techniques.
Supply Chain Compromise and Distribution Network
The investigation began following user reports after installing Dr.Web Security Space antivirus on newly purchased Android devices. System partition scans revealed suspicious WhatsApp variants containing malicious code. The threat actors successfully infiltrated Chinese manufacturers’ supply chains, enabling the distribution of compromised devices across multiple markets. This supply chain attack represents a significant escalation in mobile device threats.
Identification of Compromised Devices
The affected smartphones primarily target budget-conscious consumers, masquerading as popular flagship models with names such as S23 Ultra, Note 13 Pro, and P70 Ultra. Notably, approximately one-third of infected devices operate under the SHOWJI brand. These counterfeits include specialized software designed to falsify device specifications in both system settings and diagnostic applications, making detection more challenging.
Technical Analysis of the Malware
The malware, dubbed “Shibai,” employs the LSPatch framework to modify WhatsApp’s core functionality. Key malicious capabilities include:
- Cryptocurrency wallet address interception and replacement
- Prevention of legitimate application updates
- Extraction of personal data and seed phrase scanning from images
- Transmission of user messages to attacker-controlled servers
Impact Assessment and Infrastructure
Security researchers have identified more than 60 command-and-control servers and approximately 30 domains associated with this operation. The financial impact has been substantial, with just two monitored cryptocurrency wallets containing over $1.5 million in stolen funds. The actual damage is likely significantly higher, considering the campaign’s scale and duration.
To protect against such sophisticated supply chain attacks, security experts recommend implementing a multi-layered defense strategy: purchase devices exclusively from authorized retailers, verify device authenticity before use, install reputable security software, and maintain strict operational security practices when handling cryptocurrency transactions. Users should be particularly vigilant when encountering budget devices offering premium features at suspiciously low prices, as these may indicate potential counterfeits harboring malicious code.
