A sophisticated campaign that pre-installs malware onto budget Android smartphones, targeting cryptocurrency users through a technique known as “clipping” has been discovered by Doctor Web‘s virus lab.
Its findings reveal that malefactors have embedded a trojanized version of WhatsApp directly into the system partition of newly manufactured devices, exposing users to stealthy financial theft from the moment they activate their phones.
Starting in June 2024, Dr Web began receiving reports from users who installed its Security Space antivirus on new Android devices. Investigations confirmed that these phones — usually sold under names resembling popular brands like “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” — came preloaded with malicious software designed to hijack cryptocurrency transactions.
Altering Clipboard Data
The attack method revolves around intercepting and altering clipboard data. When a user copies a cryptocurrency wallet address — typically a string of 25–42 characters — the malware silently replaces it with a wallet address controlled by the bad actors. Victims unknowingly send funds to criminals instead of their intended recipients.
To evade detection, the trojan also fakes displayed wallet addresses locally, showing users their correct address while actually transmitting the malefactor’s address.
This campaign is an evolution of tactics first observed in 2023, where threat actors distributed malicious messenger apps through YouTube links targeting Chinese users. This time, however, attackers have compromised the supply chain of certain Chinese smartphone manufacturers, embedding malware into devices at the factory level.
Many affected models falsely advertise high-end specs and Android 14, while actually running manipulated builds of Android 12. Fraudsters even spoof system information displayed by popular apps like AIDA64 and CPU-Z.
A Campaign of Significant Scale
Doctor Web’s analysis revealed that around 40 legitimate applications — including popular messengers and cryptocurrency wallets like MathWallet and Trust Wallet — were modified using the LSPatch tool.
Infected apps load additional malicious modules such as com.whatsHook.apk, which perform clipboard hijacking and exfiltrate all WhatsApp chat messages to attacker-controlled servers. The objective: harvest mnemonic recovery phrases, which can be used to instantly seize full control of a user’s crypto wallets.
The campaign’s scale is significant. Researchers identified over 60 command-and-control servers and about 30 domains used to distribute malicious apps, and financial data suggests that the attackers have stolen millions of dollars across multiple cryptocurrency wallets over the past two years.
To stay safe, Doctor Web advises users to:
- Avoid smartphones with technical specs that seem too good for their price.
- Only download apps from trusted sources like Google Play, RuStore, or AppGallery.
- Avoid storing sensitive data such as wallet recovery phrases or passwords as screenshots or unencrypted files on mobile devices.
- Install reputable mobile antivirus solutions.
A Serious Issue
“The revelation that cheap Android smartphones are coming pre-loaded with trojans is a serious issue,” says Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “It’s not about consumers being socially engineered into downloading a malicious app, these are compromised devices straight from the factory.”
Malik says the fact that this operation has coined it to the tune of more than £1.6 million shows it’s not just technically impressive, but financially lucrative as well. “It requires close collaboration from manufacturers, security professionals, and regulators alike – only when we have a security culture that is shared across the supply chain can we stand a chance at adequately protecting against these kinds of attacks.”
Important Lessons to be Learned
“There are a few important lessons to draw from reports that Chinese Android phones were shipped with fake versions of WhatsApp and Telegram targeting crypto users,” adds Jamie Akhtar, CEO and Co-founder of CyberSmart.
“Firstly, it underscores how sophisticated and well-resourced some supply chain attacks have become. Preloading trojanized apps at the manufacturing or distribution level gives attackers a head start, effectively bypassing traditional security measures and placing users at immediate risk the moment they power up their devices.”
Akhtar says it also highlights the growing intersection between mobile threats and financial crime, particularly in the crypto space. “Cybercriminals know that mobile devices are often poorly protected and that many users store or manage digital assets on them. By mimicking trusted apps like WhatsApp and Telegram, popular choices for crypto discussions and transactions, attackers exploit both brand trust and user habits. It’s a reminder that app authenticity, especially on imported or lesser-known devices, must never be taken for granted.”
Finally, Akhtar says there should be greater scrutiny and regulation around device security at the point of origin. “Users shouldn’t have to be reverse engineers to trust their phones. Manufacturers must be held to higher security standards, and governments and mobile providers need to do more to vet devices entering the market. In the meantime, consumers can help protect themselves by using verified app stores, avoiding sideloading, and running mobile security software. But ultimately, the responsibility lies with those putting these devices into the hands of the public.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.