# Doctor Web discovered a clipper Trojan for Android **news.drweb.com/show** Doctor Web [Back to news](https://news.drweb.com/list/?p=0&lng=en&c=5) **August 7, 2018** **Trojans for Microsoft Windows that replace wallet numbers in the clipboard during** **operations involving digital money and cryptocurrencies are widespread and well** **known for both computer users and information security specialists. In August 2018,** **Doctor Web virus analysts examined several malicious programs with similar** **functions designed for the Android mobile platform.** Trojans capable of replacing digital wallet numbers in the clipboard in order to send money to cybercriminals instead of recipients are commonly referred to as “clippers”. Until recently, such malicious programs bothered Windows users only. Trojans for Android with similar functions are rarely seen in the wild. In August 2018, records of two modifications of a clipper [Trojan Android.Clipper were added to the Dr.Web virus databases. They were dubbed](https://vms.drweb.com/search/?q=Android.Clipper&lng=en) **[Android.Clipper.1.origin and](https://vms.drweb.com/search/?q=Android.Clipper.1.origin&lng=en)** **[Android.Clipper.2.origin. These malicious programs pose a](https://vms.drweb.com/search/?q=Android.Clipper.2.origin&lng=en)** threat to Android users. ----- **[Android.Clipper is capable of replacing the digital wallet numbers of the QIWI, WebMoney](https://vms.drweb.com/search/?q=Android.Clipper&lng=en)** (R and Z), and Yandex.Money payment systems, as well as the Bitcoin, Monero, zCash, DOGE, DASH, Etherium, Blackcoin and Litecoin cryptocurrencies. One of the examined [modifications of Android.Clipper is guised as an application for Bitcoin digital wallets:](https://vms.drweb.com/search/?q=Android.Clipper&lng=en) Once the Trojan is launched on an infected device, it displays a fake error message and continues to operate in hidden mode. The Trojan hides its icon from the list of applications on the Android home screen. From now on, the malware can be found in the apps management section of the system preferences only. Both modifications of **[Android.Clipper are then](https://vms.drweb.com/search/?q=Android.Clipper&lng=en)** launched automatically every time an infected smartphone or tablet is turned on. After a successful infection, the Trojan starts to track changes in the clipboard content. Once [the user copies the digital wallet number to the clipboard, Android.Clipper sends the](https://vms.drweb.com/search/?q=Android.Clipper&lng=en) number to the command and control server. The malware then makes another server request waiting for the cybercriminals’ wallet number that needs to be added to the clipboard instead of the original one. The author of **[Android.Clipper actively sells Trojans of this family in hacking forums. At that,](https://vms.drweb.com/search/?q=Android.Clipper&lng=en)** cybercriminals’ clients are free to use any application icon and name for every purchased copy of the malicious program. Thus, we can soon expect many modifications of these Trojans that will be spread by cybercriminals under the guise of harmless useful software. ----- ----- The virus writer claims in his advertisements that the malware’s functions include sending a report on the program operation to the Telegram app and a quick change of wallet numbers embedded into the clipboard using the FTP protocol. However, these features are not implemented in the Trojan itself. All the specified functions are provided for cybercriminals by the command and control center. Dr.Web for Android has successfully detected and deleted all the known modifications of the **[Android.Clipper Trojan family, so they do not pose any threat to our users.](https://vms.drweb.com/search/?q=Android.Clipper&lng=en)** [More information on Android.Clipper.1.origin](https://vms.drweb.com/virus/?i=17517750) [More information on Android.Clipper.2.origin](https://vms.drweb.com/virus/?i=17517761) [#Android](https://news.drweb.com/hashtag/?q=android) [#bitcoin](https://news.drweb.com/hashtag/?q=bitcoin) [#cryptocurrencies](https://news.drweb.com/hashtag/?q=cryptocurrencies) [What is the benefit of having an account?](https://www.drweb.com/user/advantages/?lng=en) ## Tell us what you think To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names. ### Other comments -----