Copycat websites for instant messaging apps such as Telegram and WhatApp are used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware.
“All are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets,” ESET researchers Lukáš Štefanko and Peter Strýček said in a new analysis.
While the first instance of clipper malware on the Google Play Store dates back to 2019, the development marks the first time Android-based clipper malware has been integrated into instant messaging apps.
“Additionally, some of these apps use Optical Character Recognition (OCR) to recognize text from screenshots stored on compromised devices, which is another first for Android malware,” the Slovak company added. of cybersecurity.
The chain of attack begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to similar Telegram and WhatsApp websites.
What is new in the latest batch of clipper malware is that it is able to intercept a victim’s chats and replace all cryptocurrency wallet addresses sent and received with addresses controlled by threat actors.
Another group of clipper malware uses OCR to find and steal seed phrases by exploiting a legitimate machine learning plugin called ML Kit on Android, thereby emptying wallets.
A third cluster is designed to keep an eye on Telegram conversations for certain Chinese cryptocurrency-related keywords, both hard-coded and received from a server, and if so, exfiltrate the full message , along with username, group, or channel name, to a remote server.
Finally, a fourth set of Android clippers come with capabilities to change the wallet address as well as collect device information and Telegram data such as messages and contacts.
Rogue Android APK package names are listed below –
- org.telegram.messenger
- org.telegram.messenger.web2
- org.tgplus.messenger
- io.busniess.va.whatsapp
- com.whatsapp
ESET said it also found two Windows-based clusters, one designed to swap wallet addresses and a second group that distributes Remote Access Trojans (RATs) instead of clippers to take control of infected hosts and perpetrate crypto theft.
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party access to your company’s SaaS applications? Join our webinar to learn more about the types of permissions granted and how to minimize risk.
RESERVE YOUR PLACE
All RAT samples analyzed are based on the publicly available Gh0st RAT, except for one, which uses more anti-parsing runtime checks when running and uses the HP socket library to communicate with his server.
It should also be noted that these clusters, although following an identical modus operandi, represent disparate sets of activities likely developed by different threat actors.
The campaign, like a similar malicious cyber operation that came to light last year, is aimed at Chinese-speaking users, mainly motivated by the fact that Telegram and WhatsApp are blocked in the country.
“People who want to use these services must resort to indirect means to obtain them,” the researchers said. “Unsurprisingly, this presents a great opportunity for cybercriminals to abuse the situation.”
