Trojanized Telegram App Steals Data from Chinese Android Phones

Reports indicate a significant cybersecurity threat: altered versions of the popular messaging application, Telegram, are being found pre-installed on specific budget-friendly Android smartphones. These devices are primarily distributed within the Chinese market.

The modified applications are designed with a malicious intent: to illicitly acquire sensitive user data. This includes highly personal information and, crucially, cryptocurrency.

At the core of this threat lies sophisticated malware. Security researchers, particularly from Doctor Web, have identified this malicious software, which they’ve named “Shibai.”

This malware is directly embedded within these “trojanized” Telegram applications. This points to a severe supply chain compromise, meaning consumers are purchasing phones that are already infected from the moment they are acquired.

One of the primary and most dangerous functionalities of the Shibai malware is its “crypto clipper” capability. This feature allows the malicious software to covertly monitor the user’s device clipboard for specific financial information.

If a cryptocurrency wallet address is copied by the user, the malware swiftly intercepts this action. It then replaces the legitimate address with one controlled by the attackers, effectively rerouting any intended cryptocurrency transactions and causing direct financial losses.

Beyond cryptocurrency theft, the Shibai malware is also equipped to exfiltrate other forms of sensitive data. This includes private chat messages accessed through the compromised Telegram application.

Furthermore, the malware can actively scan device storage. It specifically searches for images that might contain cryptocurrency wallet recovery phrases, which, if discovered, grant attackers complete access to a user’s digital assets.

These compromised smartphones often attempt to deceive users by presenting false technical specifications. A device might misleadingly claim to run the latest Android 14 or boast superior hardware, when in reality, it may use an older Android 12 and contain inferior components.

This deceptive tactic helps the malware remain hidden and makes it more challenging for users to detect the compromise. This alarming campaign, active since at least June 2024, has shown rapid expansion, accumulating over a million dollars in stolen funds. Users should exercise extreme caution when purchasing new smartphones, especially budget options, and employ robust mobile security.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news