ESET researchers have uncovered several copycat Telegram and WhatsApp websites that target Android and Windows users with trojanized versions of these instant messaging apps. The malicious apps identified are clippers – malware that steals or alters the contents of the clipboard – with the intention of acquiring victims’ cryptocurrency funds. This is the first time that Android clippers have specifically targeted instant messaging. The apps use optical character recognition (OCR) to detect text from screenshots saved on breached devices. ESET researchers further identified remote access trojans (RATs) bundled with Windows versions of the same apps. The malware is designed to intercept messaging communications and replace any sent and received cryptocurrency wallet addresses with those belonging to the attackers. Other copycat cryptocurrency applications previously identified in ESET’s researches try to steal recovery phrases from victims’ wallets, suggesting a growing trend of crypto-focused cyberattacks.
The trojanized apps are carefully designed as they have to vary for each app: Telegram is an open source app, making changing its code to include trojan software relatively easy. Conversely, the source code for WhatsApp is not made public, resulting in the developers of trojanized apps undertaking a thorough analysis of the app’s functionality before modifying it. The apps have additional functionality which has been categorized into Android and Windows clusters, depending on whether they attack Android or Windows systems. Cluster 1 is the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device, in order to steal seed phrases, which are a series of words used to recover cryptocurrency wallets. Cluster 2 switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, whilst Clusters 3 and 4 monitor Telegram communication for certain keywords related to cryptocurrencies, and not only switch the victim’s wallet address but also exfiltrate internal Telegram data and basic device information. One Windows cluster is not comprised of clippers but of RATs, which are able to steal cryptocurrency wallets without intercepting the application flow.
The copycat apps target Chinese-speaking users, due to WhatsApp and Telegram being blocked in China since 2015 and 2017 respectively. Cybercriminals have taken advantage of this by setting up Google ads which lead to fraudulent YouTube channels that direct viewers to copycat websites, or by advertising malicious versions of the app in Telegram groups. ESET promptly reported these fraudulent ads and related YouTube channels to Google, which closed them down. The malware’s distributors purchase Google ads that redirect to YouTube, enabling attackers to get to the top of search results and also to avoid having their fake websites flagged as scams. Links to the copycat websites can usually be found in the “About” section of the YouTube channels.
ESET’s findings have raised concern over the growing trend of cryptocurrency-focused cyberattacks, as cybercriminals use sophisticated methods, such as OCR and RATs in their attempts to obtain victims’ cryptocurrency funds. Apps such as Telegram and WhatsApp serve as a convenient source of attack, as victims tend to copy and paste long strings of characters, such as cryptocurrency wallet addresses, through the clipboard and not type them. This enables attackers to replace the victim’s wallet address surreptitiously with their own, and gain access to victims’ wallets. Cybercriminals are aware of the limitations applied by some countries, such as the ban of Telegram and WhatsApp in China, and exploit them for their purposes.