ESET researchers have identified trojanized versions of WhatsApp and Telegram apps, as well as dozens of copycat websites for those instant messaging apps specifically targeting Android and Windows users. Most of the detected malware is clipper, a type of malware that steals or alters clipboard contents. All of the software in question tries to steal victims' cryptocurrencies, while some target cryptocurrency wallets. For the first time, ESET Research has detected Android-based clipper software specifically targeting instant messaging apps. Also, some of these apps use optical character identification (OCR) to extract text from screenshots saved on compromised devices. This is another first for Android-based malware.
“Scammers are trying to seize cryptocurrency wallets via instant messaging apps”
When the language used in the imitation applications was examined, it was revealed that the people using these software were especially targeting Chinese-speaking users. Since both Telegram and WhatsApp have been banned in China since 2015 and 2017, respectively, people who wanted to use these apps had to resort to indirect means. The threat actors in question are first of all fake. YouTube He set up Google Ads, which redirects users to their channels, and then redirects users to copycat Telegram and WhatsApp websites. ESET Research does not remove these false advertisements and related YouTube reported its channels to Google, and Google immediately ended the use of all these advertisements and channels.
ESET researcher Lukáš Štefanko, who detected Trojan-disguised applications, said:
“The main purpose of the clipper software we detected is to capture the victim's messages and replace the sent and received cryptocurrency wallet addresses with the addresses of the attacker. Besides the trojan-disguised Android-based WhatsApp and Telegram apps, we also detected trojan-hidden Windows versions of the same apps.”
Trojan-disguised versions of these apps have different features, although they serve the same purpose. The reviewed Android-based clipper software is the first Android-based malware to use OCR to read text from screenshots and photos stored on the victim's device. OCR is used to find and play the key phrase. The key phrase is a mnemonic code, a set of words used to recover cryptocurrency wallets. As soon as the malicious actors get hold of the key phrase, they can directly steal all the cryptocurrencies in the respective wallet.
The malware sends the victim's cryptocurrency wallet address to the attacker. sohbet replaces it with the address. It does this with addresses either directly in the program or dynamically obtained from the attacker's server. In addition, the software monitors Telegram messages to detect specific keywords related to cryptocurrencies. As soon as the software detects such a keyword, it forwards the entire message to the attacker's server.
ESET Research has detected Windows-based Telegram and WhatsApp installers containing remote access trojans (RATs), as well as Windows versions of these wallet address-altering clipper software. Based on the application model, it was discovered that one of the Windows-based malicious packages was not clipper software, but RATs that could take complete control of the victim's system. Thus, these RATs can steal cryptocurrency wallets without intercepting the application flow.
Lukas Stefanko gave the following advice in this regard:
“Install apps only from trusted and reliable sources, such as the Google Play Store, and do not store unencrypted pictures or screenshots on your device that contain important information. If you think you have a Trojan-disguised Telegram or WhatsApp application on your device, manually uninstall these applications from your device and download the application either from Google Play or directly from the legitimate website. If you suspect you have a malicious Telegram app on your Windows-based device, use a security solution that detects and removes the threat. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”