ESET Research discovered Trojan-infected WhatsApp and Telegram applications,

• ESET Research has discovered for the first time so-called "clipper" malware embedded in instant messaging applications.

• Their perpetrators prey on victims' cryptocurrency using Trojan-infected Android and Windows Telegram and WhatsApp apps.

• The malware is able to replace the addresses of cryptocurrency wallets that victims send in chat messages with addresses belonging to the attacker.

• Some of the clippers even use character recognition to extract text from screenshots and steal recovery phrases from cryptocurrency wallets.

• In addition to clippers, ESET has also discovered remote access Trojans embedded in malicious versions of WhatsApp and Telegram on Windows.

Researchers from ESET, Europe's leading security solutions provider, have uncovered dozens of fake Telegram and WhatsApp websites, mainly targeting Android and Windows users via horse-ridden versions of these instant messaging apps. Troy. Most of the malicious apps we've identified are called "clippers," a type of malware that steals or modifies clipboard content. All of them are interested in victims' cryptocurrency funds, and several of them target cryptocurrency wallets. This was the first time ESET Research had come across clippers on Android specifically focusing on instant messaging. Some of this malware even uses Optical Character Recognition (OCR) to recognize text in screenshots stored on compromised devices, which is another first for Android malware.

Given the language used in the hijacked applications, it seems that the operators mainly target Chinese-speaking users. Telegram and WhatsApp have been blocked in China for several years; since 2015 for Telegram and since 2017 for WhatsApp. People who wish to use these services must resort to indirect means to obtain them.

The threat actors first set up Google ads leading to fraudulent YouTube channels, which then redirected users to websites mimicking those of Telegram and WhatsApp. ESET Research immediately reported the fraudulent advertisements and corresponding YouTube channels to Google, which promptly shut them down.

“The main purpose of the clippers we discovered is to intercept the victim's email communications and replace all cryptocurrency wallet addresses sent and received with addresses belonging to the attackers. In addition to the Android versions of the WhatsApp and Telegram apps, we also found Windows versions,” explains Lukáš Štefanko, the ESET researcher who discovered the malicious apps.

Although they serve the same purpose, malicious versions of these apps contain different additional features. Clippers analyzed on Android are the first example of Android malware using OCR to read text in screenshots and photos stored on the victim's device. OCR is deployed to find and steal the passphrase. This mnemonic code made up of a series of words is used to retrieve cryptocurrency wallets. Once cybercriminals get hold of a passphrase, they are able to directly steal all the cryptocurrencies in the associated wallet.

In another case, the malware simply replaces the victim's cryptocurrency wallet address with that of the attacker in email communications. Addresses are either hard-coded or dynamically retrieved from the attacker's server. In yet another case, the malware monitors Telegram communications for certain cryptocurrency-related keywords. When such a keyword is recognized, the malware sends the full message to the attacker's server.

ESET Research has also found Windows versions of wallet surrogate clippers, as well as Telegram and WhatsApp installers for Windows that embed remote access Trojans. These deviate from the established pattern. They do not feature a clipper, but a remote access tool that allows full control of the victim's system. In this way, cybercriminals are able to steal cryptocurrency wallets without intercepting the flow of the application.

“Only install apps from trusted sources, such as Google Play, and do not store unencrypted images or screenshots containing sensitive information on your device. If you think you have installed a malicious version of Telegram or WhatsApp, manually remove it from your device, and download the app either from Google Play or directly from the legitimate website,” Štefanko advises. “For Windows, if you think your Telegram app is malicious, use a security solution to detect the threat and remove it. The only official version of WhatsApp for Windows is currently available on the Microsoft store. »

About ESET

For more than 30 years, ESET® has been developing IT security software and services to protect corporate digital assets, critical infrastructure and consumers around the world against cyber threats. We protect fixed and mobile terminals, collaborative tools and provide incident detection and processing. Established around the world, our R&D centers collect and analyze cyber threats to protect our customers and our digital world.