Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp – Source:hackread.com

A new wave of smartphone-based attacks is draining crypto wallets without victims ever realizing it. According to researchers at Doctor Web, a surge in malware-laced Android phones has exposed a coordinated operation where attackers are embedding spyware directly into the software of newly sold devices. The goal is to intercept cryptocurrency transactions through a hijacked version of WhatsApp.

Cheap Phones, Expensive Consequences

The phones in question look familiar. Models like the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” imitate premium brands with sleek branding and tempting specs. But beneath the surface, they’re running older software despite claiming to have the latest Android version, and they come with malicious software within.

The infected devices ship with preinstalled, modified versions of WhatsApp that operate as clippers, which are malicious programs designed to replace copied cryptocurrency wallet addresses with the attacker’s own. Once installed, this fake WhatsApp quietly swaps out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat.

Even more worrying, victims never see anything suspicious. The malware shows the correct wallet address on the sender’s screen but delivers the wrong one to the receiver and vice versa. Everything looks normal until the money disappears.

Not Just WhatsApp

The attackers didn’t stop at one app. According to Dr. Web’s report, researchers found nearly 40 fake applications, including Telegram, crypto wallets like Trust Wallet and MathWallet, QR code readers, and others. The technique behind the infection relies on a tool called LSPatch, which allows modifications without altering the core app code. This method not only evades detection but also lets the malicious code survive updates.

What makes this campaign particularly dangerous is the supply chain angle. Researchers believe the infection occurred at the manufacturing stage, meaning these phones were compromised before reaching store shelves. Many devices originate from smaller Chinese brands, with some models linked to a label called “SHOWJI.” Others remain untraceable.

Beyond Message Hijacking

The spyware doesn’t just swap out wallet addresses; it digs through targeted devices’ image folders like DCIM, Downloads, and Screenshots, looking for pictures of recovery phrases. A lot of people snap screenshots of these for convenience, but those phrases are the master keys to their crypto wallets. If attackers get their hands on them, they can drain the account in minutes.

To make things worse, the malicious WhatsApp update system doesn’t point to official servers. Instead, it fetches updates from domains controlled by the hackers, ensuring the spyware stays functional and up to date.

So far, Doctor Web has identified over 60 servers and 30 domains used in the campaign. Some attacker wallets linked to the operation have already received more than $1 million, with others holding six-figure balances. And because many addresses are generated dynamically, the full financial scope remains unclear.

How to Stay Safe

Cybersecurity experts at Dr. Web warned users to be extra cautious, especially when it comes to mobile devices and crypto security. They recommend avoiding Android phones from unverified sellers, particularly if the price feels too good to be true. To make sure a device is legit, tools like DevCheck can help verify hardware specs since fake models often manipulate system details, even in well-known apps like CPU-Z or AIDA64.

Experts also advise against storing recovery phrases, passwords, or private keys as unencrypted images or text files, which can be easy targets for spyware. Installing reliable security software can help catch deeper system-level threats. And when it comes to downloading apps, it’s safest to stick with official sources like Google Play.

Although the campaign is currently targeting Russian-speaking users, pre-installed malware on cheap Android devices, including smartphones and TV boxes, has already been used to target unsuspecting users worldwide. Therefore, regardless of your location, if your Android phone isn’t what it claimed to be or if you’ve recently bought one off-brand device, it might be worth checking what’s running under the hood.