New Android Trojan detected

by Altospam

Android.Clipper malware on Android

In August 2018, analysts at one of our Dr.Web antivirus partners (Doctor Web) just discovered a malware program with features similar to Windows-based cryptocurrency scam schemes, but designed for the Android mobile platform.

This new malware!

Widespread Windows malware has automatically replaced the e-wallet address during a transaction involving digital currency or cryptocurrency. Over the past two years, virtual currency users and IT security experts have become familiar with these Trojan horse viruses. But this is the first time this Trojan has been developed for Android, with similar functions.

This Trojan for Android systems is called “Clipper”. It is able to replace the e-wallet address to send funds to cybercriminals instead of the wallet owner.

Dr.Web analysts report that two variants have been added to their virus database: Android.Clipper.1.origin and Android.Clipper.2.origin. Both malware variants pose a serious threat to Android users, especially cryptocurrency investors.


The Clipper Trojan can replace QIWI, WebMoney (R and Z) and the Yandex e-portfolio address. In addition, Clipper can replace the addresses of cryptocurrency wallets such as Bitcoin, Monero, Zcash, DOGE, Dash, Etherium, Blackcoin and Litecoin. The application supplied with the Trojan is disguised as a Bitcoin digital wallet application.


How does it work?

When Android.Clipper.1.origin is launched for the first time, it makes its main activity inaccessible by modifying the access parameters. As a result, the malicious application’s icon disappears from the list of programs on the Android screen.

In the OnPrimaryClipChangedListener interface, the malware then adds a listener that tracks changes to the clipboard contents and waits for a user to copy a number from one of the targeted digital wallets.

Once the corresponding number has been retrieved, Android.Clipper.1.origin sends the information to the command and control server. The malware then reconnects to the server and waits for the cybercriminal’s wallet number belonging to the same payment system as the intercepted number.


This new type of virus on Android shows that Google’s system is not immune to malware. Last year, ransomware appeared on Android. Indeed, a system capable of intercepting communications, sms, address books, emails and web browsing is logically very interesting for hackers…


As a reminder, the French Altospam solution integrates 6 antiviruses, including Dr.Web. This means that all e-mails and attachments passing through Altospam will be systematically and successively scanned by these 6 antivirus programs. What’s more, since Altospam is located upstream of the mail server, if you check your email on Android, you’ll be protected from this type of Trojan virus.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …