Chinese Android phones delivered with fake Whatsapp, telegram app targeting users crypto

Cheap Android Atroids What Chinese Companies Preset Preseted Trojanized Applications Masked As Whatsapp and Telegram containing cryptocurrency Clipper function As part of the June 2024 campaign. Years.

While using malicious financial information for theft software is not a new phenomenon, the new findings of Russian antivirus sites allow doctor to significantly escalation where direct threat Targeting the supply chain Various Chinese manufacturers to load new devices with malicious applications.

“False applications discovered directly in pre-installed software on the phone” Company said. “In this case, the malicious code was added to Whatsapp Messenger.”

It is said that most compromised low-road devices imitated the famous premium models of Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 PRO and P70 Ultra. At least four-affected models produced under Showji Brand.

The attackers are said to have used the application for the technical specifications that appear on the hardware page, as well as the hardware and software information such as AIDA64 and CPU-Z, giving users by false impression that phones use Android 14 and improved hardware.

Malicious android applications are created using an open source project Lspatch This allows Trojan, called Shibai, to inject in otherwise legitimate software. A total of about 40 different applications, such as messenger and QR code scanner, is estimated this way.

In artefacts, it will be analyzed by the application, the application is abducting the application update to download the APK file from the attacker’s control and search wires in chat chat conversations corresponding to the evaluators of the cryptocurrency addresses. If they find themselves, they are replaced by the low-ordered transaction addresses.

“In case of an outgoing message, a compromised device displays the correct address of the victim’s own wallet, while the recipient of the message is displayed by the Wallet for Fraud,” the Dr. Web said.

“And when you receive incoming messages, the sender sees the address of his own wallet; in the meantime, on the victim’s device, the incoming address is replaced by a hacker’s wallet address.”

In addition to changing the address of the wallet, Malware is also equipped with device data, all whatsapp and .jpg, .png and .jpeg images from DCIM, images, alarms, downloads, documents and screenshots, folders to the map.

The intention of this step is to scan stored pics for wallet recovery (aka mnemonic), allowing threat actors unauthorized access to victims of victims and discharges property.

It is not clearly behind the campaign, although attackers attacked that the attackers will increase about 30 domains to distribute malicious applications and employ more than 60 command and control servers (C2) to manage the operation.

Further analysis of almost two dozen cryptocurnancy wallets revealed that in the last two years they received more than 1.6 million dollars, which showed that the compromise supply chain pays in a big way.

Development is delivered as a Swiss Cyber-selected Malware Malware Malware family (eg device model, telephone numbers, Android version, Android and installed access to infected devices and installed commands from remote servers.

“Written in the boiler, above all focuses on intercepting SMS and persistent communication with its command-control server,” Company said in analysis. “Unlike many advanced malware, gorilla does not yet use object techniques, indicating that it may still be under active development.”

In the last months, Android applications are installed FakeApp Trojan It was also via Google Play Store found Using the DNS server to download the configuration that includes URL to load.

These applications, as they are removed from the market, represent familiar and popular games and applications and become equipped with the ability to receive external commands that can perform various malicious actions such as spam sites or phishing Windows.