Cheap Android smartphones manufactured by Chinese companies have been observed to be pre-installed since June 2024 with Troyjanized apps disguised as WhatsApp and Telegram, which include cryptocurrency clipper features as part of the campaign.
While stealing financial information using malware-covered apps is not a new phenomenon, new discoveries from the Russian anti-virus vendor doctor webpoint are new discoveries into important escalations targeting threat actors to directly target supply chains of various Chinese manufacturers and preload new malicious devices.
“The fraudulent applications were detected directly with pre-installed software over the phone,” the company said. “In this case, malicious code has been added to WhatsApp messenger.”
The majority of compromised devices are named as the S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra, and are said to be low-end mobile phones that mimic the famous premium models of Samsung and Huawei. At least four affected models are manufactured under the Showji brand.
The attacker is said to have used the application to spoof the technical specifications displayed on the About Device page, as well as hardware and software information utilities such as AIDA64 and CPU-Z, which will give users the false impression that the phone is running Android 14 and the hardware has been improved.
Malicious Android apps are created using an open source project called LSPATCH. This project can inject Trojan called Shibai into otherwise legal software. In total, it is estimated that around 40 different applications, such as messengers and QR code scanners, have been modified in this way.
In an artifact analyzed by Doctor Web, the application hijacks the app’s update process to retrieve an APK file from the server under attacker’s control, searching for a string in a chat conversation that matches the cryptocurrency wallet address address pattern associated with Ethereum or Tron. If found, they will be replaced with the enemy’s address to the enemy’s speech.
“In the case of outgoing messages, the compromised device will display the correct address of the victim’s own wallet, and the recipient of the message will display the address of the fraudster’s wallet,” Doctor Web said.
“And when an incoming message is received, the sender checks the address of his wallet. Meanwhile, on the victim’s device, the incoming address is replaced by the address of the hacker’s wallet.”
In addition to changing the wallet address, the malware also features the ability to collect device information from DCIM, photos, alarms, downloads, documents, and screenshot folders, all WhatsApp messages, .jpg, .png, and .jpeg images on the attacker’s server.
The intention behind this step is to scan images saved for wallet recovery (aka mnemonic) phrases, allowing threat actors to gain unauthorized access to the victim’s wallet and to discharge their assets.
It is known that attackers leverage around 30 domains to distribute malicious applications and use over 60 command and control (C2) servers to manage operations, but it is not clear who is behind the campaign.
Further analysis of almost 20 cryptocurrency wallets used by threat actors reveals that they have received more than $1.6 million over the past two years, indicating that supply chain compromises have been paid off on a massive scale.
This development is because Swiss cybersecurity company Prodaft discovered a new family of Android malware called Gorilla, designed to collect sensitive information (device model, phone number, Android version, SIM card details, installed apps), discovered the main permanent access to infected devices, and received commands from remote servers.
“It is written in Kotlin and focuses primarily on SMS interception and persistent communication with its command and control (C2) server,” the company said in its analysis. “Unlike many advanced malware stocks, Gorilla has not yet adopted obfuscation technology and shows that it may still be under active development.”
Over the last few months, we’ve found that Android apps that embed Fakeapp Trojan propagated through the Google Play Store are also getting configurations that contain URLs to load using a DNS server.
Since its removal from the marketplace, these apps have the ability to receive external commands that can spoof famous and popular games and apps, and perform a variety of malicious actions, such as loading unwanted websites and providing phishing windows.
Source link
