According to a new analysis by ESET researchers Lukáš Štefanko and Peter Strýček, copycat websites for popular instant messaging apps like Telegram and WhatsApp are being used to distribute trojanized versions, infecting Android and Windows users with cryptocurrency clipper malware. The malware is designed to target victims’ cryptocurrency funds, with several targeting cryptocurrency wallets.
While the first instance of clipper malware on the Google Play Store dates back to 2019, this marks the first time Android-based clipper malware has been built into instant messaging apps. Some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on compromised devices, which is a new feature for Android malware.
The attack begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp websites. What’s unique about this latest batch of clipper malware is that it can intercept a victim’s chats and replace any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.
One cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, making it possible to empty the wallets. Another cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords related to cryptocurrencies and exfiltrate the complete message, along with the username, group or channel name, to a remote server.
Lastly, a fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts. The rogue Android APK package names include org.telegram.messenger, org.telegram.messenger.web2, org.tgplus.messenger, io.busniess.va.whatsapp, and com.whatsapp.
ESET also found two Windows clusters, one which is engineered to swap wallet addresses and a second group that distributes remote access trojans (RATs) in place of clippers to gain control of infected hosts and perpetrate crypto theft.
It is important to note that these clusters, despite following a similar modus operandi, represent different sets of activity likely developed by different threat actors. The campaign, like a similar malicious cyber operation that came to light last year, targets Chinese-speaking users primarily motivated by the fact that both Telegram and WhatsApp are blocked in the country.