Mockup websites of instant messaging apps such as Telegram and WhatApp have been used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware.
ESET researchers Lukáš Štefanko and Peter Strýček say in a new analysis, “They all target victims’ cryptocurrency funds, and some target cryptocurrency wallets.” .
The first instance of clipper malware on the Google Play store dates back to 2019, but this is the first time an Android-based clipper malware has been incorporated into an instant messaging app.
“Additionally, some of these apps use Optical Character Recognition (OCR) to recognize text from screenshots stored on compromised devices, a first for Android malware. is.”
The attack chain begins with an unsuspecting user clicking on a malicious ad in Google search results, leading to hundreds of sketchy YouTube channels, and then to look-alike Telegram and WhatsApp websites. increase.
The novelty of the latest batch of Clipper malware is its ability to intercept victim chats and replace sent and received cryptocurrency wallet addresses with attacker-controlled addresses.
Another cluster of clipper malware leverages a legitimate machine learning plugin called ML Kit on Android to allow OCR to find and steal seed phrases and empty wallets.
The third cluster is designed to monitor Telegram conversations for specific Chinese keywords (both hardcoded and received from the server) related to cryptocurrencies. remote server.
Finally, the fourth set of Android Clippers comes with the ability to switch wallet addresses, collect device information such as messages and contacts, and Telegram data.
The incorrect Android APK package name is –
- org.telegram.messenger
- org.telegram.messenger.web2
- org.tgplus.messenger
- io.busniess.va.whatsapp
- com.whatsapp
ESET said it also found two Windows clusters. One is designed to exchange wallet addresses, and the other distributes remote access Trojans (RATs) instead of clippers to control infected hosts and carry out crypto theft. It’s a loop.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
All analyzed RAT samples were based on the publicly available Gh0st RAT, except one that employed more anti-analysis runtime checks during execution and used the HP socket library to communicate with the server. To do.
It is also worth pointing out that these clusters, despite following similar tactics, represent a different set of activities likely developed by different actors.
The campaign, like similar malicious cyberattacks uncovered last year, targeted Chinese-speaking users and was primarily motivated by the fact that both Telegram and WhatsApp are blocked in China. I’m here.
“People who want to use these services must resort to indirect means to obtain them,” the researchers said. “Naturally, this is a golden opportunity for cybercriminals to exploit the situation.”
