Trojan-infected versions of WhatsApp and Telegram, targeting Android and Windows users, have been discovered by cyber specialist ESET Research.
ESET researchers have unearthed dozens of fake WhatsApp and Telegram websites mainly targeting Android and Windows OS users. The hackers infected versions of both instant messengers using Trojan horses. This is also the first time that ESET has discovered “clipper” malware applications integrated into applications of this type.
Hackers first lure their victims with videos on YouTube
The clipper, it is worth remembering, is malware that modifies or steals the contents of the clipboard. The malicious applications discovered have the particularity of all being interested in the victims’ cryptocurrency funds, virtual currency wallets. Several of these malware even go so far as to use optical character recognition (OCR) to identify text found on screenshots stored on compromised Android phones. We explain all this further in our article.
At the moment, it looks like hackers are targeting Chinese-speaking Telegram and WhatsApp users more, maximizing their potential given that both instant messengers have been banned in the Middle Kingdom since 2015 and 2017 respectively. This pushes users to access these applications by all possible means and makes them more easily fall into the trap set by hackers.
To lure their victims, the attackers first ran advertisements on Google, redirecting users to YouTube channels that looked legitimate but were actually fraudulent. The videos then helped drive people to websites that mimic those of Telegram and WhatsApp. The channels, reported, have since been shut down by Google.
Different techniques used to steal victims’ cryptocurrency wallets
” The primary purpose of the clippers we discovered is to intercept the victim’s email communications and replace all sent and received cryptocurrency wallet addresses with addresses belonging to the attacks. says researcher Lukas Stefanko, who discovered the malicious apps.
While these malicious versions serve the same purpose, they have other features. The OCR we were talking about (which can read the text of your device’s screenshots) is deployed for the purpose of finding and stealing the passphrase. The mnemonic code made up of a series of words is then used to retrieve the cryptocurrency wallets. Once the passphrase is discovered, hackers can steal all the cryptocurrency in the wallet.
Another case has also been discovered: the malware replaces the victim’s crypto wallet address with that of the attacker, directly in messaging communications. The addresses are then recovered in hard, or then from the pirate’s server. The researchers also identified the case where the malware monitors Telegram exchanges to flush out keywords related to cryptocurrencies. As soon as it recognizes a keyword, the software sends the complete message to the hacker’s server.
In addition to the Android versions of the WhatsApp and Telegram apps, Windows versions have also been discovered, including Telegram and WhatsApp installers for the Microsoft OS, integrating remote access Trojans. These do not include a clipper, but a remote access tool that allows you to take control of the trapped person’s system. Attackers can then quietly steal cryptocurrency wallets without intercepting the flow of the application.
Tips to follow ?
- On Android, better download the app from the legitimate website or from the Google Play store.
- On Windows, the only official version of WhatsApp is available from the Microsoft store.
Source: ESET Research
1