{
	"id": "1571f35b-f20a-4bc2-9a54-2ccaff31b0e2",
	"created_at": "2026-04-06T00:22:03.497508Z",
	"updated_at": "2026-04-10T03:20:38.138749Z",
	"deleted_at": null,
	"sha1_hash": "af206441ca774c571608cbacc121a995f2d9fed2",
	"title": "Android.Clipper.2.origin — Dr.Web Malware description library",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63924,
	"plain_text": "Android.Clipper.2.origin — Dr.Web Malware description library\r\nPublished: 2018-08-09 · Archived: 2026-04-05 16:40:03 UTC\r\nAdded to the Dr.Web virus database: 2018-08-08\r\nVirus description added: 2018-08-09\r\nSHA1:\r\na2f50f63ae8c4ba7e96a5b3bf30321ac125c715b\r\nA malicious program for Android mobile devices. It can be distributed under the guise of popular harmless\r\napplications, such as software for the Bitcoin cryptocurrency:\r\nWhen Android.Clipper.2.origin launches for the first time, it makes its main activity\r\nclipper.abcchannelmc.ru.clipperreborn.MainActivity inaccessible by changing the access settings. As a result, the\r\nmalicious application’s icon disappears from the list of programs on the Android home screen.\r\nIn the OnPrimaryClipChangedListener interface, the Trojan then adds a listener that tracks changes in the\r\nclipboard content and waits for a user to copy a number of one of the targeted digital wallets.\r\nhttps://vms.drweb.com/virus/?i=17517761\r\nPage 1 of 2\n\nOnce the corresponding number is found in the clipboard, Android.Clipper.2.origin sends the number\r\ninformation to the http://fastfrmt.*****.tech command and control server. The malware then reconnects to the\r\nserver and waits for the cybercriminals’ wallet number that belongs to the same payment system as the intercepted\r\nnumber.\r\nThe Trojan tracks and replaces wallet numbers of the following payment systems and cryptocurrencies:\r\nQIWI\r\nWebMoney R\r\nWebMoney Z\r\nYandex.Money\r\nBitcoin\r\nMonero\r\nzCash\r\nDOGE\r\nDASH\r\nEtherium\r\nBlackcoin\r\nLitecoin\r\nTo provide the autostart every time the infected mobile device is turned on, Android.Clipper.2.origin tracks the\r\nfollowing system events:\r\nandroid.intent.action.BOOT_COMPLETED;\r\nandroid.intent.action.QUICKBOOT_POWERON;\r\ncom.htc.intent.action.QUICKBOOT_POWERON.\r\nNews about the Trojan\r\nSource: https://vms.drweb.com/virus/?i=17517761\r\nhttps://vms.drweb.com/virus/?i=17517761\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://vms.drweb.com/virus/?i=17517761"
	],
	"report_names": [
		"?i=17517761"
	],
	"threat_actors": [],
	"ts_created_at": 1775434923,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af206441ca774c571608cbacc121a995f2d9fed2.pdf",
		"text": "https://archive.orkl.eu/af206441ca774c571608cbacc121a995f2d9fed2.txt",
		"img": "https://archive.orkl.eu/af206441ca774c571608cbacc121a995f2d9fed2.jpg"
	}
}