ESET Research detects WhatsApp and Telegram apps that steal cryptocurrencies and contain trojans with new features

Cybersecurity company ESET has detected the first instance of a malware called clipper, which is embedded in instant messaging applications and can retrieve information from the display clipboard. Threat actors enable users to download Telegram and WhatsApp applications, modified by incorporating Trojan horses, on their Android and Windows devices via fake websites.

Thanks to these fake apps, they can track victims’ cryptocurrencies. The malware can replace the cryptocurrency wallet addresses sent by the victim from the chat application with the addresses belonging to the attacker. They can abuse optical character recognition to extract text from the display clipboard and steal account recovery codes for the cryptocurrency wallet.

ESET researchers have identified trojanized versions of WhatsApp and Telegram apps, as well as dozens of copycat websites for those instant messaging apps specifically targeting Android and Windows users. Most of the detected malware is clipper, a type of malware that steals or alters clipboard contents. All of the software in question tries to steal victims’ cryptocurrencies, while some target cryptocurrency wallets. For the first time, ESET Research has detected Android-based clipper software specifically targeting instant messaging apps. Also, some of these apps use optical character identification (OCR) to extract text from screenshots saved on compromised devices. This is another first for Android-based malware.

Scammers are trying to seize cryptocurrency wallets via instant messaging apps

When the language used in the imitation applications was examined, it was revealed that the people using these software were especially targeting Chinese-speaking users. Since the use of both Telegram and WhatsApp in China has been prohibited since 2015 and 2017, respectively, people who wanted to use these applications had to resort to indirect means. The threat actors in question first set up Google Ads, which redirects them to fake YouTube channels, and then redirects users to copycat Telegram and WhatsApp websites. ESET Research reported the fake ads and related YouTube channels to Google, and Google immediately discontinued all of these ads and channels.

ESET researcher Lukáš Štefanko, who detected Trojan-hidden applications, said: “The main purpose of the clipper software we detected is to intercept the victim’s messages and replace the sent and received cryptocurrency wallet addresses with the addresses belonging to the attacker. Besides the trojan-disguised Android-based WhatsApp and Telegram apps, we also detected trojan-hidden Windows versions of the same apps.”

Trojan-disguised versions of these apps have different features, although they serve the same purpose. The reviewed Android-based clipper software is the first Android-based malware to use OCR to read text from screenshots and photos stored on the victim’s device. OCR is used to find and play the key phrase. The key phrase is a mnemonic code, a set of words used to recover cryptocurrency wallets. As soon as the malicious actors get hold of the key phrase, they can directly steal all the cryptocurrencies in the respective wallet.

The malware replaces the victim’s cryptocurrency wallet address with the attacker’s chat address. It does this with addresses either directly in the program or dynamically obtained from the attacker’s server. In addition, the software monitors Telegram messages to detect specific keywords related to cryptocurrencies. As soon as the software detects such a keyword, it forwards the entire message to the attacker’s server.

ESET Research has detected Windows-based Telegram and WhatsApp installers containing remote access trojans (RATs), as well as Windows versions of these wallet address-altering clipper software. Based on the application model, it was discovered that one of the Windows-based malicious packages is not clipper software, but RATs that can take complete control of the victim’s system. Thus, these RATs can steal cryptocurrency wallets without intercepting the application flow.

Lukáš Štefanko advises: “Install apps only from reliable and reliable sources, such as Google Play Store, and do not store unencrypted pictures or screenshots containing important information on your device. If you think you have a Trojan-disguised Telegram or WhatsApp application on your device, manually uninstall these applications from your device and download the application either from Google Play or directly from the legitimate website. If you suspect you have a malicious Telegram app on your Windows-based device, use a security solution that detects and removes the threat. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”

Source: (BYZHA) – Beyaz News Agency