Clipper Malware Preinstalled in Android Devices Targeting Crypto Wallets
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Starting in June 2024, Doctor Web researchers uncovered a large-scale supply chain attack targeting low-cost Android smartphones, primarily affecting devices falsely advertised as highend models like the S23 Ultra or Note 13 Pro. These phones, often branded under SHOWJI or unidentified manufacturers, were found to have pre-installed trojanized versions of WhatsApp containing clipboard-hijacking malware, known as a "clipper."
This malware intercepts and replaces copied cryptocurrency wallet addresses with those of the attackers, enabling silent theft during transactions. The campaign marks a shift from previous tactics, such as distributing malicious apps through YouTube links, to embedding malware directly in the firmware via compromised manufacturing channels.
These fake phones also ran outdated Android 12 versions, despite claiming Android 14, and used spoofing apps to fake hardware specs in system menus and popular diagnostic tools. The campaign reflects growing abuse of Android’s open ecosystem to exploit user trust and target the rising global adoption of cryptocurrency, especially in regions where users rely on third-party app sources.
Technical Details
The threat actors behind this campaign created their trojanized version of WhatsApp using the LSPatch framework. This tool allows modification of an app’s behavior without directly altering its original code and enables the loading of additional modules. In this case, the malicious module com.whatsHook.apk was hidden in the assets folder. One of its key functions is update hijacking— instead of checking for updates from the official WhatsApp server, the app connects to a server controlled by the attackers, such as hxxps://apk-download[.]pro, ensuring that the malicious version remains active and under their control.
The malware includes enhanced clipper functionality, scanning incoming and outgoing messages for Tron (starting with T) and Ethereum (starting with 0x) wallet address patterns. These are replaced with the attackers’ wallet addresses, all while displaying the correct original address to the user, thus hiding the replacement. If the malware cannot connect to its C&C server, it uses hardcoded backup addresses such as “TN7pfenJ1ePpjoPFaeu46pxjT9rhYDqW66” and “0x673dB7Ed16A13Aa137d39401a085892D5e1f0fCA”.
The Trojan also exfiltrates all messages from WhatsApp chats and searches local folders such as DCIM, DOWNLOADS, PICTURES, DOCUMENTS, ALARMS, and SCREENSHOTS for image files (.jpg, .png, .jpeg). - The goal is to locate mnemonic recovery phrases—12 to 24-word sequences that allow access to crypto wallets, which users often store as screenshots. Access to such a phrase lets attackers steal the wallet’s entire balance.
In addition, the malware gathers device metadata, including the manufacturer, model, language settings, and the name of the compromised application. The attackers modified around 40 apps, including messengers like WhatsApp and Telegram, QR code scanners, and widely used crypto wallet apps like MathWallet and Trust Wallet.
Named Shibai—a reference found in its code (“Log.e("", "-------------------SHIBAI-释放---------- --")—the trojan is part of a large-scale operation. The attackers run more than 60 command and control servers and use about 30 domains to distribute their malware. Financial analysis revealed that one wallet linked to this operation received over a million dollars, another held half a million, and many others held up to $100,000, indicating the campaign has been highly lucrative. However, since wallet addresses can be dynamically pulled from attacker-controlled servers, the full extent of the profits remains unknown.
Recommendations
Avoid purchasing unverified or low-cost Android devices from unknown brands or third-party sellers, especially those with suspiciously high-end specifications at unusually low prices.
Only install apps from trusted sources, such as the Google Play Store or official websites, and avoid downloading APKs from third-party or unknown platforms.
Use a reputable mobile security solution that can detect trojanized apps and monitor for suspicious behavior, including clipboard manipulation and data exfiltration.
Verify device specifications using trusted apps like DevCheck, instead of relying on system-provided information, which can be spoofed.
Never store sensitive information like cryptocurrency wallet seed phrases or private keys as screenshots or plain text files on your device—use secure, offline storage options instead.
Check for unexpected app behavior, such as update URLs pointing to unknown domains or permissions that don’t match the app’s purpose.
Regularly audit installed apps and remove any unknown or unnecessary applications.
Keep your device's OS and apps updated to benefit from the latest security patches. If your device isn't receiving official updates, consider it a security risk.
Enable Play Protect in Google Play settings to automatically scan for and remove harmful apps.
Be cautious with links in social media or video descriptions, especially those offering free versions of popular apps, as they are often used to spread malware.
Conclusion
The Shibai campaign represents a highly sophisticated and profitable operation leveraging supply chain attacks, trojanized apps, and advanced clipping techniques to steal cryptocurrency from unsuspecting Android users. By abusing tools like LSPatch and embedding malicious modules in pre-installed or fake apps, the attackers effectively bypass user awareness and security mechanisms. With capabilities ranging from update hijacking to mnemonic phrase theft and exfiltration of personal messages, Shibai highlights the growing threat posed by deeply embedded mobile malware, especially in low-end counterfeit devices.
