Proprietary 2024-06-01 · 319 days ·Cryptocurrency Theft, Data Theft, Spyware

Knockoff phones shipped Shibai clippers

Low-cost Chinese Android phones shipped with trojanized WhatsApp and Telegram apps that used Shibai to replace cryptocurrency wallet addresses.

Story

Doctor Web found low-cost Android smartphones arriving with malicious messenger apps already installed. The phones imitated premium models such as S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra; several affected models were tied to the SHOWJI brand.

The malicious apps looked like WhatsApp, Telegram, QR scanners, and crypto utilities. Attackers used LSPatch to inject Shibai into otherwise legitimate-looking apps, then altered update flows so the apps could fetch attacker-controlled APKs instead of official updates.

Shibai watched chat text for Ethereum and Tron wallet patterns. It could show the correct address on the victim's screen while sending the attacker-controlled address to the recipient, or replace an incoming address before the victim saw it.

The same tooling exfiltrated WhatsApp messages, device data, and images from common folders so attackers could search for wallet recovery phrases. This is modeled separately from Triada.z because the public evidence names different payloads, apps, and device families, even though both abused counterfeit Android device distribution.

Affected Artifacts

com.whatsapp

android · Mobile App

Observed: 2024-06-01 to 2025-04-16
Compromised Versions: Unknown
Fixed: Not listed
Evidence: pkg://android/com.whatsapp, mirror: thehackernews.com/2025/04/chinese-android-phones-shipped-with.html, malware: Shibai, observable: LSPatch-injected module searched chat messages for Ethereum and Tron wallet addresses. , +1 more

org.telegram.messenger

android · Mobile App

Observed: 2024-06-01 to 2025-04-16
Compromised Versions: Unknown
Fixed: Not listed
Evidence: pkg://android/org.telegram.messenger, mirror: thehackernews.com/2025/04/chinese-android-phones-shipped-with.html, malware: Shibai, observable: Doctor Web reporting described about 40 modified apps across the affected devices.

Affected device names included S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra; at least four affected models were manufactured under the SHOWJI brand.

Incident Context

Motive: Cryptocurrency Theft
Cause: Firmware Supply Chain Compromise
Transitive: No

External References

Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Usersthehackernews.com
Chinese Android phones shipped with malware-laced WhatsApp, Telegram appssecurityaffairs.com

Source record: proprietary/shibai-phones/meta.yaml