Copycat sites for instant messaging apps like WhatsApp and Telegram are getting used to distribute some trojanized versions that infect Android and Windows users with crypto clipper malware.
ESET researchers Peter Strýček and Lukáš Štefanko stated in a new analysis:
“All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets.”
While the first incident of clipper malware on the Google Play Store dates back to 2019, this development marks the first time the Android-based clipper malware has been built into instant messaging apps.
“Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.”
The attack chain starts with the unsuspecting users clicking on some fraudulent ads on Google search results that result in hundreds of sketchy YouTube channels, which then directs them to lookalike WhatsApp and Telegram websites.
What is interesting about the latest batch of clipper malware is that it can intercept a victim’s chat and replace any sent and received crypto wallet addresses with addresses that are controlled by the threat actors.
Another cluster of clipper malware uses OCR to find and steal seed phrases by leveraging some legitimate machine learning plugin known as ML Kit on Android, which makes it possible for criminals to empty the wallets.
A third cluster is developed strategically to keep tabs on Telegram conversations for various Chinese keywords, both hard-coded and received from a server, linked to cryptos, and if so, exfiltrate the entire message, together with the username, channel or group name, to a remote server.
A fourth set of Android clippers come with extensive features and capabilities to switch the wallet address and harvest device information and Telegram data including contacts and messages.
The criminal Android APK package names include:
- org.tgplus.messenger
- org.telegram.messenger
- com.whatsapp
- org.telegram.messenger.web2
- io.busniess.va.whatsapp
ESET insisted that it also found two Windows clusters, one that is engineered expertly to swap wallet addresses and a second group that is designed to distribute remote access trojans (RATs) in place of clippers to gain control of the infected hosts and perpetrate different crypto thefts.
All these analyzed RAT samples are mainly based on the publicly available Gh0st RAT, except one, which uses more anti-analysis runtime checks in its execution and utilizes the HP-socket library to fully communicate with its server.
Notably, these clusters represent different sets of activity possibly developed by many threat actors despite following a similar modus operandi.
Buy Bitcoin NowThe campaign, just like any other similar malicious cyber operation that was discovered in 2022, is geared specifically towards Chinese-speaking users, mostly motivated by the fact that WhatsApp and Telegram are blocked in the Asian country.
The researchers said:
“People who wish to use these services have to resort to indirect means of obtaining them. Unsurprisingly, this constitutes a ripe opportunity for cybercriminals to abuse the situation.”