Full Report
Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024. While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to
Analysis Summary
# Tool/Technique: Shibai Trojan
## Overview
Shibai is a trojanized application injected into otherwise legitimate Android software (like WhatsApp) through the use of the open-source project LSPatch. This campaign targets cheap Android smartphones from Chinese manufacturers, pre-installing the malware during the supply chain process. Its primary goal is cryptocurrency theft via wallet address replacement (clipping).
## Technical Details
- Type: Malware family (Trojan)
- Platform: Android
- Capabilities: Cryptocurrency wallet address replacement (clipper functionality), data exfiltration (messages, images), hardware/software spoofing.
- First Seen: Campaign observed since June 2024.
## MITRE ATT&CK Mapping
This campaign primarily exhibits techniques related to credential access and impact.
- **TA0006 - Credential Access**
- T1119 - Automated Collection
- T1119.001 - Data from Application Log Files (Harvesting chat messages)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0003 - Persistence**
- T1543.003 - Create or Modify System Process: Systemd Services (Implied persistence via pre-installed application)
- **TA0005 - Defense Evasion**
- T1036 - Masquerading
- T1036.005 - Match Legitimate Name or Location (Masquerading as popular apps like WhatsApp)
## Functionality
### Core Capabilities
- **Cryptocurrency Clipper:** Hijacks the application update process to download an APK. It scans chat conversations for Ethereum or Tron wallet address patterns. Upon finding a match, it replaces the legitimate address with the attacker’s address, both when sending and receiving messages.
- **Data Harvesting:** Collects all WhatsApp messages, and various image files (.jpg, .png, .jpeg) from DCIM, Pictures, Alarms, Downloads, Documents, and Screenshots folders.
### Advanced Features
- **Credential Harvesting via Images:** Scans harvested images specifically for cryptocurrency wallet recovery (mnemonic) phrases to drain wallets.
- **Supply Chain Compromise:** Malicious code is pre-installed on brand new devices from specific Chinese manufacturers (e.g., SHOWJI brand devices).
- **Device Spoofing:** Uses an external application to spoof technical specifications shown in the "About Device" page and utilities (AIDA64, CPU-Z) to display false hardware and Android version information (e.g., Android 14).
- **Injection Method:** Utilizes the **LSPatch** open-source project to inject the malicious logic into legitimate applications.
## Indicators of Compromise
- File Hashes: (Not provided in the context)
- File Names: Trojanized WhatsApp and Telegram apps, ~40 different modified applications.
- Registry Keys: (Not applicable to Android context directly, but persistence mechanisms would be involved)
- Network Indicators: Leverages ~30 domains for distribution and >60 Command-and-Control (C2) servers for management.
- Behavioral Indicators: Wallet address replacement during communication; exfiltration of messages and images upon execution.
## Associated Threat Actors
- Attribution is not explicitly stated in the provided text, but the sophistication suggests organized criminal activity targeting hard-to-trace supply chains.
## Detection Methods
- Detection: Monitoring system behavior for unauthorized modifications to application chat data, specifically wallet address substitutions.
- Behavioral detection: Observing data collection activities targeting messaging data and image directories.
- YARA rules: (Not provided)
## Mitigation Strategies
- Users should purchase devices only from trusted, official vendors. Avoid cheap, counterfeit phones mimicking premium models.
- Employ robust mobile security solutions capable of application behavior monitoring.
- Verify wallet addresses displayed immediately before confirming a transaction, even if the address appears correct in the conversation history.
## Related Tools/Techniques
- **LSPatch:** The tool used to inject the Shibai trojan into legitimate apps.
- **Gorilla Malware:** Another recently discovered Android malware family mentioned, which focuses on SMS interception and data collection but reportedly lacks obfuscation.
- **FakeApp Trojan:** Mentioned as another trojan propagating via app stores, utilizing DNS servers for configuration retrieval.
***
# Tool/Technique: Gorilla Malware Family
## Overview
Gorilla is a new Android malware family designed to collect sensitive device information, maintain persistent access, and reliably communicate with remote C2 servers. It was discovered by PRODAFT.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Sensitive information collection (device model, phone number, Android version, SIM details, installed apps), persistent access, C2 communication.
- First Seen: Recent months (relative to the article date).
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1005 - Data from Local System (Collecting device/SIM information)
- **TA0008 - Lateral Movement** (Implied by persistent access)
- **TA0009 - Collection**
- T1005 - Data from Local System
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- **Data Collection:** Gathers device model, phone number, Android version, SIM card details, and a list of installed applications.
- **SMS Interception:** Primarily focuses on intercepting SMS messages.
- **Persistent Communication:** Maintains persistent communication with its C2 server.
### Advanced Features
- The malware is written in Kotlin.
- Notably, it **does not yet employ obfuscation techniques**, suggesting it may still be under active development.
## Indicators of Compromise
- File Hashes: (Not provided)
- File Names: (Not provided)
- Registry Keys: (Not applicable to Android context directly)
- Network Indicators: Communicates with remote command-and-control servers.
- Behavioral Indicators: Focus on SMS interception and heavy data collection upon initial compromise.
## Associated Threat Actors
- Unknown (Discovered by PRODAFT).
## Detection Methods
- Signature-based detection targeting the known capabilities and communication patterns.
- Behavioral analysis looking for extensive device enumeration and SMS monitoring.
## Mitigation Strategies
- Keep Android devices updated to the latest OS versions.
- Monitor installed applications and only install software from reputable sources.
- Implement strong monitoring for abnormal SMS activity or large-scale device data requests.
## Related Tools/Techniques
- **Shibai Trojan:** Another contemporary Android malware discussed, though Shibai focuses on supply chain compromise and cryptocurrency clipping.