Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft?

**Executive summary:** Doctor Web analysts discovered a widespread campaign (Shibai) in which low-end Android phones were shipped with a trojanized WhatsApp using LSPatch; the malware hijacks updates, monitors and replaces Tron/Ethereum wallet addresses (clipboard clipping), exfiltrates chats and wallet mnemonic screenshots, and is managed via >60 C2 servers and ~30 distribution domains with wallets observed holding up to ~$1M.