In a concerning development, several low-cost Android smartphones manufactured by Chinese companies have been found to come pre-installed with malicious applications disguised as popular messaging apps like WhatsApp and Telegram. These trojanized apps are designed to steal cryptocurrency from unsuspecting users, marking a significant escalation in cyber threats targeting mobile devices.
Discovery and Modus Operandi
The Russian cybersecurity firm Doctor Web uncovered this campaign, which has been active since June 2024. The attackers have infiltrated the supply chains of various Chinese manufacturers, embedding malware directly into the firmware of new devices. This means that users receive compromised phones straight out of the box, without any action on their part.
The primary targets are low-end smartphones that mimic high-end models from brands like Samsung and Huawei, with names such as S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four affected models are produced under the SHOWJI brand. To deceive users, the attackers have manipulated the device specifications displayed in system settings and hardware information apps, falsely indicating that the phones run on Android 14 and possess superior hardware features.
Technical Details of the Malware
The malicious applications are created using an open-source project called LSPatch, which allows the injection of harmful code into legitimate software. Approximately 40 different applications, including messaging apps and QR code scanners, have been modified in this manner.
Once installed, the malware, dubbed Shibai, hijacks the app update process to download additional malicious components from servers controlled by the attackers. It then monitors chat conversations for cryptocurrency wallet addresses associated with Ethereum or Tron. When such an address is detected, the malware replaces it with the attacker’s wallet address, effectively rerouting any cryptocurrency transactions to the cybercriminals.
Notably, the malware ensures that the sender sees their correct wallet address, while the recipient receives the substituted address, making the substitution difficult to detect. Additionally, the malware collects device information, all WhatsApp messages, and images from various folders, including DCIM, Pictures, Alarms, Downloads, Documents, and Screenshots. The goal is to scan these images for wallet recovery phrases, enabling the attackers to gain unauthorized access to victims’ cryptocurrency wallets and drain their assets.
Scope and Impact
The attackers have utilized approximately 30 domains to distribute the malicious applications and employ over 60 command-and-control servers to manage the operation. Analysis of nearly two dozen cryptocurrency wallets used by the threat actors reveals that they have received more than $1.6 million over the past two years, indicating the substantial success of this supply chain compromise.
Historical Context
This incident is not an isolated case. In 2016, the HummingBad malware, linked to the Chinese advertising analytics agency Yingmob, infected over 10 million Android devices worldwide, generating fraudulent advertising revenue of up to $300,000 monthly. The malware provided cybercriminals with administrative access to infected devices, allowing them to download apps and click on ads without user consent. The majority of infections were in China and India, with over 1 million cases each, while the U.S. had around 250,000 infected devices. Google actively worked on blocking installations of infected apps to protect users. ([time.com](https://time.com/4393240/hummingbad-china-chinese-malware-android/?utm_source=openai))
In 2020, it was reported that thousands of Tecno W2 smartphones sold in Africa contained malware that signed users up to subscription services without their permission. The malware, known as Triada, installed malicious code called xHelper, which found subscription services and submitted fraudulent requests on behalf of users, consuming pre-paid airtime. The manufacturer, Transsion, stated that the issue was an old and solved mobile security issue globally and issued a fix in March 2018. ([bbc.com](https://www.bbc.com/news/technology-53903436?utm_source=openai))
Similarly, in 2020, it was discovered that mobile phones offered to low-income families via a U.S. government scheme came preloaded with Chinese malware. The Android-based phone, UMX U686CL, made by a Chinese company, had pre-installed apps that were malicious and could not be removed by the user. One of the apps, which appeared as a wireless update program, automatically installed more apps without user consent and transmitted data to a Chinese server every 72 hours. ([bbc.com](https://www.bbc.com/news/technology-51054901?utm_source=openai))
Implications and Recommendations
The recurrence of such incidents underscores the critical need for stringent security measures in the smartphone supply chain. Users are advised to purchase devices from reputable manufacturers and authorized retailers to minimize the risk of pre-installed malware. Regularly updating device software and using reliable security applications can also help detect and mitigate potential threats.
For manufacturers, implementing rigorous security protocols during the production process is essential to prevent the embedding of malicious code. Collaborating with cybersecurity experts to conduct thorough audits and vulnerability assessments can further enhance the security of devices before they reach consumers.
As cyber threats continue to evolve, staying informed and vigilant is paramount for both consumers and manufacturers to safeguard against malicious activities targeting personal and financial information.
