As cryptocurrency adoption continues to increase globally, with approximately 20% of people in developed countries having used digital currencies, this supply chain attack represents a concerning evolution in threat actors’ tactics targeting financial assets. Doctor Web researchers named the trojan “Shibai” after finding the string Log.e(“”, “——————-SHIBAI-释放————“) in its code, likely referencing another cryptocurrency. Threat actors have infiltrated the supply chain of several Chinese smartphone manufacturers, embedding malicious code directly into system applications on devices before they reach consumers. Financial analysis of associated cryptocurrency wallets revealed significant profits, with one wallet accumulating over a million dollars in the past two years, while another contained half a million dollars. Web’s report states that the malware hijacks application updates by redirecting update checks from the legitimate WhatsApp server to attacker-controlled domains. Beyond tampering with wallet addresses, the malware systematically searches the device’s storage directories, including DCIM, PICTURES, DOWNLOADS, and SCREENSHOTS, for image files. A sophisticated new malware technique known as "Waiting Thread Hijacking" (WTH) has emerged as a significant threat to cybersecurity defenses. The attackers leveraged the LSPatch framework to modify WhatsApp without altering its primary code, instead loading additional malicious modules. The core malicious component, identified as com.whatsHook.apk, performs several critical functions that enable cryptocurrency theft. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Apr 2025 11:40:13 +0000