A coordinated operation is embedding spyware into inexpensive Android smartphones, allowing attackers to steal cryptocurrency from unsuspecting victims.

The malware is believed to be implanted during the manufacturing stage, particularly affecting devices from lesser-known Chinese brands, including those associated with the label 'SHOWJI.'

Researchers from Doctor Web have discovered that these compromised devices, which mimic premium models, run outdated software and come pre-installed with malicious software.

The malicious WhatsApp update system retrieves updates from hacker-controlled domains, ensuring that the spyware remains functional and up-to-date.

In addition to WhatsApp, nearly 40 other fake applications are infected, including Telegram and popular crypto wallets, utilizing a tool called LSPatch to evade detection.

The malware includes modified versions of WhatsApp that act as clippers, replacing cryptocurrency wallet addresses during transactions without the user's knowledge.

Victims see the correct wallet address on their screens, but the malware swaps it with the attacker's address, resulting in unnoticed financial theft.

The spyware also searches for pictures of recovery phrases in device folders, which can provide attackers access to crypto wallets if obtained.

Over 60 servers and 30 domains have been identified as part of this malware campaign, with associated wallets reportedly accumulating over $1 million in stolen funds.

Currently, the malware campaign targets Russian-speaking users, but it has the potential to affect individuals worldwide, prompting all Android users to verify their devices.

Cybersecurity experts advise users to avoid purchasing Android phones from unverified sellers, recommend checking hardware specifications, and discourage storing sensitive information as unencrypted images or text files.