But usually, as I have heard, the clone wallet or phishing wallet like installing a fake version of the electrum didn't have any malware infection in your device, but the problem is the revise the code.
The hackers are probably not interested in attaching easy to detect malware with their fake Electrum wallets. The majority of users have some sort of anti-virus software installed. As the time passes, the fake wallets would be recognized as malware and that is not something they want. They want a similar code to the original Electrum, with one difference: Your coins get sent to an address controlled by them.
Just wonder how the attacker connects into the server of the Electrum and increases the chances that the possible a victim will connect to the attacker and the attacker can able to manipulate the wallet and send it to their own wallet. And they called it a Sybil attack, how genius the attackers these days because they had the ability to hack like this even how many times they had an update.
Just like what happened to this recent victim, the
attacker stole 1400 Bitcoin from Electrum installing old version of the wallet.