A New Wave of Smartphone-Based Attacks on Crypto Wallets
Recent findings by Doctor Web researchers reveal a sophisticated wave of attacks targeting cryptocurrency wallets through smartphone malware. This rise in threats stems from Android devices infected with spyware that has been covertly integrated into the software of newly sold smartphones. The primary objective of these attacks is to intercept cryptocurrency transactions by utilizing a compromised version of WhatsApp.
Cheap Phones, Expensive Consequences
The compromised smartphones may appear familiar, as they mimic high-end models like the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra,” boasting attractive designs and appealing specifications. However, these devices operate on outdated software, despite claims of running the latest Android version, and are embedded with harmful malware. They are shipped with altered versions of WhatsApp that function as “clippers,” malicious programs designed to substitute copied cryptocurrency wallet addresses with those belonging to the attackers. This fake WhatsApp application seamlessly replaces wallet addresses for popular cryptocurrencies such as Ethereum and Tron during transactions, allowing the malware to operate unnoticed. Users see the correct wallet address on their screens, while the intended recipient receives the altered one, leading to funds disappearing without any indication of wrongdoing.
Not Just WhatsApp
The malicious actors behind this operation have expanded their reach beyond WhatsApp. Doctor Web’s investigation uncovered nearly 40 counterfeit applications, including popular messaging platforms like Telegram, various cryptocurrency wallets such as Trust Wallet and MathWallet, and QR code scanning apps. The infection technique employs a tool named LSPatch, which enables modifications without changing the main application code, allowing the malware to evade detection and remain intact even after updates. The supply chain aspect of this campaign heightens the risk, as researchers suggest that the infection occurs at the manufacturing stage, meaning the devices are compromised before they reach consumers. Many of these smartphones are produced by lesser-known Chinese brands, with some associated with a label called “SHOWJI,” while others remain untraceable.
Beyond Message Hijacking
The spyware’s capabilities extend beyond merely altering wallet addresses; it also sifts through the targeted devices’ image directories, such as DCIM, Downloads, and Screenshots, in search of pictures containing recovery phrases. Many users take screenshots of their recovery phrases for convenience, but these phrases serve as critical access points to their crypto wallets. If cybercriminals obtain these phrases, they can deplete the associated accounts swiftly. Compounding the issue, the modified WhatsApp update system does not connect to official servers but retrieves updates from domains controlled by the attackers, ensuring the malware remains operational and current. Doctor Web has identified over 60 servers and 30 domains associated with this campaign, with some wallets linked to the attackers already amassing over $1 million, and others holding significant balances. Due to the dynamic generation of many addresses, the full extent of the financial impact remains unclear.
How to Stay Safe
Cybersecurity experts from Doctor Web have issued a cautionary warning to users regarding mobile devices and cryptocurrency safety. They advise steering clear of Android phones from unverified sellers, especially those offered at suspiciously low prices. To confirm the legitimacy of a device, tools like DevCheck can verify hardware specifications, as counterfeit models often manipulate system information, even within reputable apps like CPU-Z or AIDA64. Experts also recommend against storing recovery phrases, passwords, or private keys in unsecured images or text files, which can easily fall prey to spyware. Utilizing reputable security software can help identify deeper system-level threats. When downloading applications, it is safest to use official channels such as Google Play. Although the current campaign primarily targets Russian-speaking users, the pre-installed malware on inexpensive Android devices, including smartphones and TV boxes, has already been leveraged to exploit unsuspecting users globally. Therefore, if you’ve recently purchased an off-brand Android device or suspect that your phone is not as advertised, it may be prudent to investigate its underlying operations.
