A malicious software called “clipper” embedded into fake instant messaging applications can steal information from the device’s clipboard. Threat actors are getting users to download modified Telegram and WhatsApp applications with a Trojan horse embedded on their Android and Windows devices through fake websites. Through these fake applications, the attackers can monitor the victims’ cryptocurrencies. The malicious software can replace the crypto wallet addresses sent by the victim from their chat application with addresses belonging to the attacker. They can also abuse optical character recognition (OCR) to extract text from the clipboard and steal account recovery codes related to the crypto wallet.
Researchers have identified dozens of counterfeit websites hosting Trojan horse hidden versions of WhatsApp and Telegram applications, which specifically target Android and Windows users. Most of the detected malicious applications are clippers – a type of malicious software that steals or modifies clipboard contents. While all of these applications attempt to steal the victims’ cryptocurrencies, some specifically target crypto wallets. ESET Research has detected Android-based clipper software targeting instant messaging applications for the first time. Additionally, some of these applications use OCR to extract text from screen captures on compromised devices, marking another first for Android-based malicious software.
The language used in the counterfeit applications suggests that the threat actors specifically target Chinese-speaking users. In China, both Telegram and WhatsApp have been banned since 2015 and 2017, respectively, forcing users to resort to indirect methods to access these applications. The threat actors first set up Google Ads directing users to fake YouTube channels and then redirected them to counterfeit Telegram and WhatsApp websites.
The main purpose of the detected clipper software is to take over the victim’s messages and replace the sent and received crypto wallet addresses with addresses belonging to the attacker. Security detected Trojan horse hidden Android-based WhatsApp and Telegram applications, as well as the same applications with Trojan horse hidden Windows versions.
As a caution, users should download applications only from reliable and reputable sources like the Google Play Store and do not store unencrypted images or screenshots containing sensitive information on your device. If you suspect a Trojan horse hidden Telegram or WhatsApp application on your device, manually remove the application and download it either from Google Play or directly from the official website.
{{user}} {{datetime}}
{{text}}