Chinese Android smartphones come with viruses that mimic WhatsApp or Telegram
Analysts at the Russian virus company Dr.Web said that after analysing the cheapest Chinese smartphones since June 2024, they systematically detected trojan viruses disguised as pre-installed WhatsApp and Telegram. These apps contain malware that steals users' cryptocurrency. The malware, known as Shibai, has been found in software pre-installed on phones. The malware replaces crypto wallet addresses in users' messages with those of attackers, allowing them to redirect transactions to their accounts.
Most of the affected devices are very low-end smartphones that mimic well-known models such as the Samsung Galaxy S23/24 Ultra or Huawei P70 Ultra. The devices mask their true configuration by displaying fake specifications to mislead users. Such devices may also come with fake AIDA64 and CPU-Z benchmarking software that significantly inflates the performance.
An example of the pages of such phones on a Chinese marketplace. Illustration: x.com
Although the practice of installing infected software on Chinese smartphones is not new, experts say that such cases have increased significantly in recent years.
In addition to spoofing wallet addresses, the malware also collects personal information, including photos and other images from the device, looking for phrases to restore access to crypto wallets.
The attackers use more than 60 servers to manage this operation and about 30 domains to distribute the malware. Over the past two years, they have received more than $1.6 million in cryptocurrency, so their efforts are clearly paying off.
Experts recommend avoiding buying cheap smartphones from unverified sources and always checking the authenticity of installed applications.