Cheap Android smartphones made by Chinese companies The functionality of clipper As part of the campaign since June 2024.
When using applications laid from malware for theft of financial information, it is not a new phenomenon, new results of the Russian antivirus supplier Doctor Webb-talking to a significant escalation where the participants of the threat are directly Earning for a supply chain Different Chinese manufacturers who pre -load brand new devices with malicious applications.
“Fraudal applications have been detected directly in the software pre -installed by phone,” the company – Note. “In this case, the malicious code was added to Messenger WhatsApp.”
Most of the compromised devices are said to be low-grade phones that mimic famous premium with Samsung and Huawei with such names as S23 Ultra, S24 Ultra, Note 13 Pro and P70 Ultra. At least four affected models produced under Show brand.
The attackers are said to have used the app for counterfeiting the technical specifications displayed on the device page, as well as equipment and information utilities, such as Aida64 and CPU-Z, creating a false impression that phones work Android 14 and improved equipment.
Malicious Android apps are created using an open source project called Lspatch This allows Trojan, called Shibai, introduces legitimate software. It is estimated that approximately 40 different applications such as messengers and QR -code scanners were changed in this way.
In artifacts analyzed by Doctor Web, the app kidnaps the application update process to get the APK file under the control of the attacker and the search lines in chat conversations that fit the cryptocurrency -related cryptocurrency templates. When found, they are replaced by enemy addresses for reboot operations.
“In the case of the output message, the compromised device reflects the correct address of the victim’s own wallet, while the recipient of the message is shown the wallet address address,” said Dr. Web.
“And when the entrance message comes, the sender sees the address of your own wallet; meanwhile on the victim’s device, which is replaced by the hacker wallet.”
In addition to changing the wallet addresses, malicious software is also equipped with the information about the devices, all WhatsApp and .jpg, .PNG and .jpeg from DCIM, images, alarm, download, documents and screenshots of the attacker.
The intention of this step is to scan the preserved images to restore the wallet (aka mnemonic) phrases that allow the subject to threaten unauthorized access to the purses of the victims and drain the assets.
It is unclear who is behind the company, although the attackers were discovered to use about 30 domains to distribute malicious applications and use more than 60 team servers (C2) to manage the operation.
Further analysis of nearly two dozen cryptocurrency wallets used by threatening subjects has shown that over the past two years they have received more than $ 1.6 million, indicating that the compromise of the supply chain has paid off in a great sense.
Development comes when Swiss Cybersecurity Prodaft has discovered a new Android malware, which is named Gorilla, designed to collect secret information (such as devices, telephone numbers, Android version, SIM card details and installed applications), basic sustainable access to infected devices.
“Written in Kotlin, it is primarily focused on the SMS interception and the sustainable connection with its team and control server (C2),” Company, Company – Note In the analysis. “Unlike many advanced strains, malicious programs are not yet used in the gorillary, which indicates that it can still be active.”
In recent months apps for Android built Fakepp Trojan Were also distributed through the Google Play store find Using the DNS server to obtain a configuration containing URL to download.
These applications that are exported from the market represent themselves by famous and popular games and applications and equipped with the ability to receive external teams that can perform various malicious actions, such as downloading unwanted websites or minging windows.
