April 2025 — Global Security Alert
In a troubling revelation for Android users, cybersecurity experts at Doctor Web, a prominent Russian antivirus firm, have uncovered pre-installed malware on several low-cost Android smartphones manufactured in China. These devices, marketed under names mimicking popular models such as “S23 Ultra,” “S24 Ultra,” “Note 13 Pro,” and “P70 Ultra,” were found to come with malicious clones of WhatsApp and Telegram apps right out of the box.
The affected smartphones, reportedly distributed under the brand name SHOWJI, were discovered to contain malware that utilizes a sophisticated and stealthy method known as “clipping.”
What is Clipping?
The clipping technique silently replaces the copied cryptocurrency wallet address with one belonging to the attacker. To the victim, the address appears correct — but once the transaction is initiated, the funds are diverted to the criminal’s wallet. This is especially dangerous in cryptocurrency transactions, where confirmations are often irreversible.
According to Doctor Web’s April 2025 report, the malware was injected into legitimate apps using LSPatch, an open-source tool that enables dynamic modification of Android applications. Over 40 common apps were found to be compromised in this way.
Beyond Clipping: A Full-Scale Spy Tool
This malware does not stop at financial theft. It also exfiltrates sensitive data including:
Device and hardware information WhatsApp messages Images and document files Mnemonic (seed) phrases recovered from images, putting entire crypto wallets at risk
Such capabilities point to an alarming level of surveillance, especially for unsuspecting users who simply intended to purchase a functional yet affordable smartphone.
Devices and Brands Implicated
Though SHOWJI is the brand most directly linked, many of the smartphones mimic trusted names like Samsung and Huawei, increasing the likelihood of consumer deception. These counterfeit models are often sold via third-party e-commerce platforms or gray markets, making tracking and regulation difficult.
What Can Users Do?
1. Avoid unfamiliar smartphone brands, especially those that mimic major manufacturers.
2. Perform a full factory reset and scan with trusted security software after purchase.
3. Refrain from using pre-installed messaging apps and download only verified apps via Google Play.
4. Never store seed phrases, passwords, or private keys as plain images or text on your mobile device.
The findings from Doctor Web have sparked renewed debate about supply chain integrity, especially in devices meant for the budget-conscious market. As the cryptocurrency ecosystem continues to expand, cybercriminals are adapting faster than ever — and sometimes, the attack begins before the device even leaves the box.
