A new wave of smartphone-based attacks is sweeping through the crypto community, with researchers discovering that cheap Android phones are being sold with pre-installed malware. These devices, which mimic high-end models like the “S23 Ultra” and “Note 13 Pro,” come with a modified version of WhatsApp that serves as a clipper. The malware intercepts cryptocurrency transactions, replacing wallet addresses with those controlled by the attackers, while the user remains unaware, as the displayed addresses appear normal.
The malware is particularly dangerous because it doesn’t just target WhatsApp but also other apps like Telegram and crypto wallets. The attackers use a tool called LSPatch, which modifies apps without changing their core code, making the malicious software difficult to detect and allowing it to survive updates. This issue is rooted in the manufacturing process, with infected phones entering the market directly from smaller Chinese brands, many of which remain untraceable.
The spyware goes further by scanning through users’ image folders to steal recovery phrases for cryptocurrency wallets.
These phrases act as master keys, enabling attackers to drain accounts swiftly. Additionally, the malicious software updates itself from attacker-controlled domains rather than official servers, ensuring its persistence and functionality.
Experts warn users to avoid purchasing Android phones from unverified sellers, particularly if the price seems unusually low. To verify a device’s authenticity, tools like DevCheck can be used to cross-check hardware details. It’s also crucial to avoid storing sensitive information, like recovery phrases, in unencrypted formats, and to download apps only from official sources like Google Play. The global scale of this campaign highlights the need for heightened vigilance among mobile users, especially those involved in cryptocurrency transactions.
