![New Beats USB-C Charging Cables Now Available on Amazon [Video]](https://www.iclarified.com/images/news/97060/97060/97060-640.jpg)
![Apple M4 13-inch iPad Pro On Sale for $200 Off [Deal]](https://www.iclarified.com/images/news/97056/97056/97056-640.jpg)
![[U:Fixed] Pixel 9a selfie camera bug causes flickering in low light, but doesn’t affect photos](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/Pixel-9a-pink-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Building a tree(s) by combining XML, XSD, EXP files [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Newly Purchased Android Phones With Pre-installed Malware Mimic as WhatsApp
A sophisticated cryptocurrency theft operation has been uncovered where brand-new Android smartphones arrive with pre-installed malware masquerading as legitimate WhatsApp applications. Threat actors have infiltrated the supply chain of several Chinese smartphone manufacturers, embedding malicious code directly into system applications on devices before they reach consumers. Since June 2024, Doctor Web’s virus laboratory has received […] The post Newly Purchased Android Phones With Pre-installed Malware Mimic as WhatsApp appeared first on Cyber Security News.
A sophisticated cryptocurrency theft operation has been uncovered where brand-new Android smartphones arrive with pre-installed malware masquerading as legitimate WhatsApp applications.
Threat actors have infiltrated the supply chain of several Chinese smartphone manufacturers, embedding malicious code directly into system applications on devices before they reach consumers.
Since June 2024, Doctor Web’s virus laboratory has received numerous reports from customers who discovered suspicious WhatsApp installations on their newly purchased Android phones.
Supply Chain Compromise
Investigation revealed these weren’t isolated incidents but part of a coordinated campaign targeting cryptocurrency users through a technique known as “clipping.”
The affected devices are primarily low-cost smartphones with deceptive branding that mimics premium models like “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra.”
Many compromised devices were manufactured under the SHOWJI brand, though many manufacturers remain unidentified.
The application is used to spoof the technical specifications of the device and the result of its operation.
Android Phones Come Pre-installed
The attackers leveraged the LSPatch framework to modify WhatsApp without altering its primary code, instead loading additional malicious modules.
The core malicious component, identified as com.whatsHook.apk, performs several critical functions that enable cryptocurrency theft.
Dr. Web’s report states that the malware hijacks application updates by redirecting update checks from the legitimate WhatsApp server to attacker-controlled domains.
Code analysis revealed methods that replace legitimate update URLs like hxxps://www.whatsapp.com/android/current/WhatsApp.apk with malicious alternatives such as [hxxps://apk-download.pro/download/whatsapp(.)apk].
Method that hijacks requests to the legitimate update server
Class that swaps the legitimate update address with the fake one
The trojan’s primary theft mechanism involves sophisticated parsing routines that scan both incoming and outgoing messages for cryptocurrency wallet addresses, specifically targeting Tron (34-character strings starting with “T”) and Ethereum (42-character strings starting with “0x”).
When detected, these addresses are silently replaced with attacker-controlled wallets like TN7pfenJ1ePpjoPFaeu46pxjT9rhYDqW66 and 0x673dB7Ed16A13Aa137d39401a085892D5e1f0fCA.
Beyond tampering with wallet addresses, the malware systematically searches the device’s storage directories, including DCIM, PICTURES, DOWNLOADS, and SCREENSHOTS, for image files.
This functionality targets cryptocurrency recovery phrases that users often mistakenly photograph instead of securely recording.
Doctor Web researchers named the trojan “Shibai” after finding the string Log.e(“”, “——————-SHIBAI-释放————“) in its code, likely referencing another cryptocurrency.
The campaign’s scale is extensive, utilizing over 60 command-and-control servers and approximately 30 domains for malware distribution.
Financial analysis of associated cryptocurrency wallets revealed significant profits, with one wallet accumulating over a million dollars in the past two years, while another contained half a million dollars.
Protection Recommendations
Security experts advise consumers to:
- Avoid suspiciously cheap smartphones with specifications that don’t match their price point
- Download applications exclusively from trusted sources like Google Play
- Install reputable mobile security software like Dr.Web Security Space
- Never store screenshots containing mnemonic phrases or cryptocurrency keys on mobile devices
As cryptocurrency adoption continues to increase globally, with approximately 20% of people in developed countries having used digital currencies, this supply chain attack represents a concerning evolution in threat actors’ tactics targeting financial assets.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
The post Newly Purchased Android Phones With Pre-installed Malware Mimic as WhatsApp appeared first on Cyber Security News.
.webp?#)
