A new wave of smartphone-based attacks is draining crypto wallets without victims ever realising it. According to researchers at Doctor Web, a surge in malware-laced Android phones has exposed a coordinated operation where attackers are embedding spyware directly into the software of newly sold devices. The goal is to intercept cryptocurrency transactions through a hijacked version of WhatsApp.
Cheap Phones, Expensive Consequences
The phones in question look familiar. Models like the “S23 Ultra,” “Note 13 Pro,” and “P70 Ultra” imitate premium brands with sleek branding and tempting specs. But beneath the surface, they’re running older software despite claiming to have the latest Android version, and they come with malicious software within.
The infected devices ship with preinstalled, modified versions of WhatsApp that operate as clippers, which are malicious programs designed to replace copied cryptocurrency wallet addresses with the attacker’s own. Once installed, this fake WhatsApp quietly swaps out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat.
Even more worrying, victims never see anything suspicious. The malware shows the correct wallet address on the sender’s screen but delivers the wrong one to the receiver and vice versa. Everything looks normal until the money disappears.
Not Just WhatsApp
The attackers didn’t stop at one app. According to Dr. Web’s report, researchers found nearly 40 fake applications, including Telegram, crypto wallets like Trust Wallet and MathWallet, QR code readers, and others. The technique behind the infection relies on a tool called LSPatch, which allows modifications without altering the core app code. This method not only evades detection but also lets the malicious code survive updates.
What makes this campaign particularly dangerous is the supply chain angle. Researchers believe the infection occurred at the manufacturing stage, meaning these phones were compromised before reaching store shelves. Many devices originate from smaller Chinese brands, with some models linked to a label called “SHOWJI.” Others remain untraceable.
| SHOWJI S19 Pro | Note 30i | Camon 20 |
| SHOWJI Note 13 Pro | S23 Ultra | P70 Ultra |
| SHOWJI X100S Pro | S18 Pro | M14 Ultra |
| SHOWJI Reno12 Pro | 6 Pro | S24 Ultra |
Beyond Message Hijacking
The spyware doesn’t just swap out wallet addresses; it digs through targeted devices’ image folders like DCIM, Downloads, and Screenshots, looking for pictures of recovery phrases. A lot of people snap screenshots of these for convenience, but those phrases are the master keys to their crypto wallets. If attackers get their hands on them, they can drain the account in minutes.
To make things worse, the malicious WhatsApp update system doesn’t point to official servers. Instead, it fetches updates from domains controlled by the hackers, ensuring the spyware stays functional and up to date.
So far, Doctor Web has identified over 60 servers and 30 domains used in the campaign. Some attacker wallets linked to the operation have already received more than $1 million, with others holding six-figure balances. And because many addresses are generated dynamically, the full financial scope remains unclear.
Google Knows
In a comment to Hackread.com, a Google spokesperson clarified that the infected devices are not officially supported or recognised by Google. Instead, they run on the Android Open Source Project (AOSP) version of Android, which is freely available for anyone to use or modify. However, these devices are not Play Protect certified, meaning they haven’t undergone Google’s official security and compatibility testing.
“The infected devices are Android Open Source Project devices, not Android OS or Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”
A Google spokesperson
How to Stay Safe
Cybersecurity experts at Dr. Web warned users to be extra cautious, especially when it comes to mobile devices and crypto security. They recommend avoiding Android phones from unverified sellers, particularly if the price feels too good to be true. To make sure a device is legit, tools like DevCheck can help verify hardware specs since fake models often manipulate system details, even in well-known apps like CPU-Z or AIDA64.
Experts also advise against storing recovery phrases, passwords, or private keys as unencrypted images or text files, which can be easy targets for spyware. Installing reliable security software can help catch deeper system-level threats. And when it comes to downloading apps, it’s safest to stick with official sources like Google Play.
Although the campaign is currently targeting Russian-speaking users, pre-installed malware on cheap Android devices, including smartphones and TV boxes, has already been used to target unsuspecting users worldwide. Therefore, regardless of your location, if your Android phone isn’t what it claimed to be or if you’ve recently bought an off-brand device, it might be worth checking what’s running under the hood.
