By Professor Oludare Ogunlana
A recent investigation reveals a troubling cybersecurity development: low-cost Android phones—mostly manufactured by certain Chinese companies—are being shipped with pre-installed fake versions of WhatsApp and Telegram, designed to steal cryptocurrency.
According to cybersecurity researchers at Doctor Web, these counterfeit apps are not just modified versions, but part of a wider supply chain compromise campaign that began around June 2024. These trojanized applications come with embedded “clipper” malware, named Shibai, which silently replaces cryptocurrency wallet addresses in messages with those belonging to cybercriminals. When users copy or send crypto addresses via chats, the malware swaps them out, rerouting funds to hackers’ wallets. The attackers use deceptive tactics so that both sender and receiver believe the wallet addresses shown are correct.
These malicious apps also harvest device information, all WhatsApp messages, and images stored on the device. The goal is to locate sensitive content such as mnemonic phrases used to access crypto wallets, granting attackers full access to user assets.
The compromised phones are usually knockoffs of popular Samsung and Huawei models, with labels like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. Many of them fall under the SHOWJI brand and use forged specifications to trick users into thinking they run the latest Android 14 with premium hardware. The malware is injected using the LSPatch open-source project, affecting at least 40 apps including QR code scanners and chat platforms.
There’s growing concern that many of these cheap devices have made their way into African markets, where consumer purchasing power is limited. Countries such as Ghana, Togo and Nigeria could be especially vulnerable due to high demand for affordable smartphones.
Cybersecurity analysts found that the attackers behind this operation are using more than 60 command-and-control servers and at least 30 domains. Their efforts have paid off—they’ve reportedly stolen over $1.6 million in cryptocurrency so far.
This incident is part of a broader trend. Swiss firm PRODAFT also recently reported a new Android malware family named Gorilla, written in Kotlin. It targets user data, intercepts SMS messages, and establishes persistent backdoor access to infected devices. Gorilla is believed to still be in active development.
Moroever, Google Play has seen several fake apps infected with the FakeApp trojan. These apps impersonate popular games and tools, retrieve malicious configurations via DNS servers, and execute harmful commands such as phishing and browser hijacking. Though now removed, they demonstrate the continuing threat of malicious Android apps.
This campaign highlights the urgent need for vigilance—especially in markets with limited access to premium devices. Users should verify apps through official app stores and avoid buying suspiciously cheap smartphones