A New Wave of Smartphone-Based Attacks Targeting Crypto Wallets
A recent investigation by Doctor Web has unveiled a concerning trend in the realm of smartphone security, where a rise in malware-infected Android devices is facilitating a sophisticated attack on cryptocurrency wallets, often without the victims’ knowledge. This coordinated effort involves embedding spyware directly into the software of newly sold phones, with the primary objective of intercepting cryptocurrency transactions through a compromised version of WhatsApp.
Cheap Phones, Costly Consequences
The smartphones involved in this troubling scenario bear a striking resemblance to well-known premium models. Devices such as the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” present attractive branding and impressive specifications. However, these devices are running outdated software while masquerading as having the latest Android version, and they come preloaded with harmful software. These infected smartphones include modified versions of WhatsApp functioning as clippers—malicious tools designed to replace legitimate cryptocurrency wallet addresses with those belonging to the attackers. This nefarious software operates silently, altering wallet strings for prominent cryptocurrencies like Ethereum and Tron during transactions made via chat. Alarmingly, victims remain oblivious to any irregularities; the malware displays the correct wallet address on the sender’s device, but sends a different one to the recipient, resulting in lost funds without raising suspicions.
Not Just WhatsApp
The malicious actors have extended their reach beyond WhatsApp, as evidenced by Doctor Web’s findings of nearly 40 counterfeit applications. These include popular messaging platforms like Telegram, various crypto wallets such as Trust Wallet and MathWallet, and QR code scanners. The infection technique employs a tool named LSPatch, which modifies applications without altering their core code, allowing the malicious software to evade detection and persist through updates. This campaign is particularly insidious due to its supply chain implications, as researchers suspect that the compromise occurred during the manufacturing process, leading to infected devices being sold to consumers. Many of these smartphones are produced by lesser-known Chinese manufacturers, with some linked to a brand called “SHOWJI.”
Beyond Message Hijacking
The spyware’s capabilities extend beyond merely altering wallet addresses; it actively searches through targeted devices’ folders—such as DCIM, Downloads, and Screenshots—for images containing recovery phrases. Many users take screenshots of these phrases for convenience, but they constitute the master keys to their crypto wallets. If hackers acquire these phrases, they can swiftly access and drain the associated accounts. Compounding the issue, the unauthorized WhatsApp update mechanism does not source updates from legitimate servers; instead, it retrieves them from domains controlled by the attackers, ensuring that the spyware remains operational and current. Doctor Web has identified over 60 servers and 30 domains linked to this malicious campaign. Some wallets controlled by the perpetrators have already amassed over $1 million in stolen funds, with others holding significant amounts, though the full scope of the financial damage remains uncertain due to the dynamic nature of many wallet addresses.
How to Stay Safe
Cybersecurity specialists at Doctor Web have issued a warning urging users to exercise caution regarding mobile devices and cryptocurrency security. They advise against purchasing Android smartphones from unverified sellers, especially if the pricing appears unusually low. To verify a device’s authenticity, tools like DevCheck can be utilized to confirm hardware specifications, as counterfeit models often manipulate system details, even within reputable apps like CPU-Z or AIDA64. Additionally, experts recommend against storing recovery phrases, passwords, or private keys in unencrypted formats, such as images or text files, as these can easily fall victim to spyware. Employing reliable security software may help detect more profound system-level threats. When downloading applications, it is safest to utilize official sources like Google Play. Although this malware campaign is presently targeting Russian-speaking users, the pre-installed malware on inexpensive Android devices, including smartphones and TV boxes, has already been used to exploit unsuspecting individuals globally. Thus, regardless of geographical location, it is prudent to investigate any off-brand devices purchased recently to ensure their integrity.
