.jpg)
What Happened?
In a chilling new twist to mobile cybersecurity threats, budget Android smartphones manufactured by certain Chinese companies have been discovered shipping with pre-installed, malicious versions of WhatsApp and Telegram. These fake apps, equipped with cryptocurrency-stealing malware, target unsuspecting users by hijacking wallet addresses and harvesting sensitive data right out of the box. Uncovered by cybersecurity researchers at Doctor Web, this supply chain attack marks a dangerous evolution in mobile malware — one that bypasses traditional app store defenses by embedding threats directly into the operating system of brand-new devices.
How It Works
The malware, named Shibai, is particularly dangerous because of how quietly and effectively it operates. Once on the device, it monitors chat messages for cryptocurrency wallet addresses — especially ones linked to Ethereum and Tron. When a user tries to send their wallet address, Shibai seamlessly swaps it out with an address controlled by the attacker. The swap is so subtle that it’s virtually invisible to the victim; the message appears normal to the sender, but the recipient sees a completely different address. This tactic reroutes funds without triggering any alarms or suspicions.
But the threat doesn’t stop there. Shibai also digs deep into the phone’s data — pulling all WhatsApp messages, extracting device information, and scanning through image files stored in folders like DCIM, Pictures, Downloads, and Screenshots. The goal? To uncover wallet recovery phrases (also known as seed phrases), which can grant full access to a user’s cryptocurrency wallets. Once those are in the hands of the attackers, they can drain the wallets entirely, leaving victims with no way to recover their funds.
How Did This Malware End Up on Brand-New Phones?
What makes this threat especially alarming is that the malware wasn’t downloaded accidentally — it was already installed when users first turned on their phones. This points to a supply chain attack, where malicious software is injected into devices during the manufacturing or software installation process, often before the phones even leave the factory.
In this case, the affected devices are mostly cheap Android phones sold under lesser-known brand names that imitate popular models from Samsung or Huawei — names like S23 Ultra, Note 13 Pro, or P70 Ultra. These phones are usually available at suspiciously low prices on online marketplaces and come with seemingly advanced specs, but many of those details are faked using spoofed system information.
Because the malicious apps are embedded in the system itself, users can't simply uninstall them. This makes the threat harder to detect and nearly impossible to remove without flashing the device with a clean version of Android — a task most everyday users aren’t equipped to do.
.jpg)
Why It Matters
This threat is particularly alarming because it’s a supply chain attack, meaning the phones are compromised before they even reach the user. Unlike typical malware infections, where a user might accidentally download a harmful app or click on a phishing link, these devices are already infected out of the box. The malware is embedded directly into the software that comes pre-installed on the phone, leaving users completely unaware that their devices are compromised from the moment they power them on.
What’s even more concerning is the scale of the attack. The attackers have already siphoned off more than $1.6 million in stolen cryptocurrency, highlighting just how profitable and widespread this campaign has become. These attackers have found a way to exploit vulnerabilities in the very devices people use every day, making it much harder to detect and prevent. It’s a reminder of just how important it is to be cautious with seemingly innocent tech purchases, especially when they come from unfamiliar brands or sellers.
Ongoing Threat
Unfortunately, this isn’t a problem that’s been solved yet — the campaign is still active as of April 2025. Researchers continue to uncover new infected devices and more control servers tied to the malware operation. This means that anyone who buys one of these compromised devices is still at risk of falling victim to the malware. It’s a constant cat-and-mouse game between the attackers and cybersecurity experts, with the attackers finding new ways to keep their malicious code hidden and evade detection.
As the investigation continues, more models and brands are being found to be part of the attack, expanding the scope of the threat. This ongoing issue underlines the importance of staying vigilant, especially when purchasing electronics online or from lesser-known sources. It's clear that these attacks aren't just isolated incidents but part of a larger, ongoing campaign that could continue to affect users for the foreseeable future.
Stay Safe
- Avoid unknown or off-brand Android phones:
It's crucial to be cautious when purchasing Android devices, especially from lesser-known or off-brand manufacturers. These phones may seem like a bargain, but they often come with significant risks, such as pre-installed malware. Opt for well-known, trusted brands that have a history of regular security updates and proper customer support. If the deal seems too good to be true, it probably is. - Only install apps from trusted sources:
To protect your device, make sure that you only download apps from reliable and official sources like the Google Play Store. Avoid third-party app stores, as they are often less regulated and may contain malware or apps with harmful code. Additionally, always review app permissions before installing them to ensure the app is not requesting access to unnecessary data, such as your contacts, camera, or microphone. - Regularly scan your phone for malware:
Even if you're cautious with your app downloads, it's important to regularly scan your phone for malware. Consider using reputable antivirus software that specializes in mobile security to conduct routine checks. These tools can detect malware that might not be immediately visible and alert you to potential threats, helping to keep your phone safe from malicious apps and other vulnerabilities. - Double-check crypto wallet addresses before sending:
Cryptocurrency transactions are irreversible, so it's essential to verify the wallet address you're sending funds to. Even a small typo or subtle alteration in the address can lead to lost funds. Always double-check the address before confirming a transaction, and consider using QR codes or other secure methods to ensure accuracy. With malware like Shibai capable of swapping wallet addresses, this extra layer of caution is critical.
Conclusion
At Skyriver IT, we specialize in identifying vulnerabilities, securing networks, and providing ongoing monitoring to catch potential threats before they can do any damage. Our expert team is experienced in handling malware, supply chain attacks, and crypto-related threats, ensuring that your devices and data are safe from malicious actors. Whether it’s helping your business implement stronger security protocols, providing malware detection and removal, or offering training to ensure your team is cyber-aware, we’ve got you covered.
Don’t wait until you’re the next target. Contact Skyriver IT today to learn more about how we can help safeguard your digital assets and ensure your systems are protected against the latest threats.
