- Cyber Syrup
- Posts
- Trojanized Apps Found Pre-installed on Cheap Chinese Android Devices Target Cryptocurrency Users
Trojanized Apps Found Pre-installed on Cheap Chinese Android Devices Target Cryptocurrency Users
A growing cybersecurity concern has emerged around budget Android smartphones manufactured by Chinese companies
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
You’ve heard the hype. Now it’s time for results
After two years of siloed experiments, proofs of concept that fail to scale, and disappointing ROI, most enterprises are stuck. AI isn't transforming their organizations — it’s adding complexity, friction, and frustration.
But Writer customers are seeing a positive impact across their companies. Our end-to-end approach is delivering adoption and ROI at scale. Now, we’re applying that same platform and technology to bring agentic AI to the enterprise.
This isn’t just another hype train that doesn’t deliver. The AI you were promised is finally here — and it’s going to change the way enterprises operate.
See real agentic workflows in action, hear success stories from our beta testers, and learn how to align your IT and business teams.
Trojanized Apps Found Pre-installed on Cheap Chinese Android Devices Target Cryptocurrency Users
A growing cybersecurity concern has emerged around budget Android smartphones manufactured by Chinese companies, which have been found pre-installed with trojanized applications disguised as popular messaging apps like WhatsApp and Telegram. According to new findings from Russian cybersecurity firm Doctor Web, these devices are being shipped with malware designed to steal cryptocurrency from unsuspecting users.
A Supply Chain Compromise at the Manufacturer Level
What sets this campaign apart from typical malware distribution is that the malicious apps are baked directly into the firmware during manufacturing. Doctor Web's researchers confirmed that malicious code was embedded in legitimate apps, particularly in a modified version of WhatsApp, before the phones were ever delivered to consumers.
The affected devices are primarily low-cost smartphones that mimic high-end models from brands like Samsung and Huawei. Examples include names such as S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of these models are branded under the SHOWJI label.
Faking Specifications and Operating System Details
The threat actors went to great lengths to deceive users. By using a spoofing app, the phones display false technical specifications on system info pages, such as the “About Device” screen and third-party utilities like AIDA64 and CPU-Z. These tools show that the devices are running Android 14 and have enhanced hardware, although neither claim is true.
The Shibai Trojan and LSPatch Tool
The malware, identified as Shibai, was created using LSPatch, an open-source framework that enables developers to inject custom code into Android applications. This approach was used to modify around 40 legitimate apps, including messaging platforms and QR code readers.
One of the trojan's primary functions is a cryptocurrency clipper—a tool that detects and replaces cryptocurrency wallet addresses. When a user copies or sends an address for a transaction involving Ethereum or Tron, the malware swaps it out with a wallet controlled by the attacker.
“In the case of an outgoing message, the compromised device displays the correct address of the victim's own wallet, while the recipient sees the fraudsters' address,” Doctor Web explained. The same address manipulation occurs with incoming messages, misleading both sender and recipient.
Expanded Capabilities: Data Theft and Mnemonic Phrase Harvesting
Beyond wallet address swapping, the malware also has extensive data theft capabilities. These include:
Collecting device information
Stealing all WhatsApp messages
Exfiltrating images from folders like DCIM, Downloads, Documents, and Screenshots
The goal of stealing image files is to identify and extract wallet recovery (mnemonic) phrases, which allow attackers to fully access and drain cryptocurrency wallets.
Scale and Financial Impact
The campaign, active since June 2024, has used over 30 domains and more than 60 command-and-control (C2) servers to manage operations. Analysis of approximately two dozen cryptocurrency wallets linked to the threat actors shows they have received over $1.6 million USD in illicit funds over the past two years, highlighting the financial success of this supply chain attack.
Related Malware Activity in the Android Ecosystem
This discovery comes amid broader concerns over Android-based malware. In a related report, Swiss cybersecurity firm PRODAFT identified a new malware family called Gorilla, written in Kotlin, that focuses on:
SMS interception
Collecting device and SIM card metadata
Maintaining persistent access via C2 communications
Although Gorilla currently lacks obfuscation, researchers warn it’s actively under development and could evolve into a more serious threat.
Additionally, researchers have flagged apps containing the FakeApp trojan, which were recently removed from the Google Play Store. These apps impersonated popular games and used a remote DNS-based configuration to trigger malicious activity, including:
Redirecting users to phishing websites
Loading malicious advertisements or fake login screens
Executing commands from remote servers
Conclusion
The pre-installation of malware on budget Android devices represents a troubling escalation in mobile cybersecurity threats. By compromising devices at the manufacturing stage, attackers eliminate the need for user interaction and can operate undetected for long periods. For users, this highlights the need to:
Purchase smartphones from reputable vendors
Use mobile antivirus tools
Monitor crypto wallet activity for unauthorized transactions
As Android continues to be a dominant platform globally, ensuring the integrity of the mobile supply chain will be critical to protecting end-users and financial assets.