144/68 Friday, April 18, 2025
Researchers at Doctor Web have uncovered that several low-cost Android smartphones from China come preloaded with malware during the manufacturing process. The malicious apps include trojanized versions of WhatsApp and Telegram, which are embedded with crypto clipper malware. This malware monitors the clipboard and automatically replaces copied cryptocurrency wallet addresses with those belonging to the attackers.
These counterfeit devices are often marketed under model names mimicking popular brands, such as S23 Ultra, Note 13 Pro, and P70 Ultra, but are actually built with low-grade hardware. Additionally, the phones falsely report themselves as running Android 14 by spoofing system information using tools like LSPatch and fake system apps, even though they are based on modified Android 12. Around one-third of the compromised devices were found to be manufactured under the brand name SHOWJI.
The malware, identified in Doctor Web’s database as “Shibai,” is capable of intercepting chats, interfering with system updates, modifying wallet-related messages in apps, and even scanning images on the device for mnemonic phrases – enabling complete theft of users’ cryptocurrency holdings. Shibai uses a command-and-control (C2) infrastructure consisting of more than 60 servers and 30 domains. Some wallets associated with the attackers have reportedly collected over $1 million in stolen funds within just two years.
While this is not the first report of pre-installed malware on Android phones, it reinforces growing concerns. Previous investigations by G Data, Bluebox, and Palo Alto Networks have also revealed malware embedded at the factory level, particularly in Chinese brands like Coolpad, Xiaomi, Huawei, and Lenovo. This recurring issue underscores the ongoing global risk of supply chain-compromised smartphones, especially for everyday users.
