Dozens of websites set up to deliver trojanized versions of WhatsApp and Telegram apps have been spotted targeting Android and Windows users.
As discovered by security researchers at ESET, most of these apps rely on clipper malware designed to steal or modify the contents of the Android clipboard.
“All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time we have seen Android clippers focusing specifically on instant messaging,” wrote ESET malware researchers Lukas Stefanko and Peter Strýček in a Thursday advisory.
“Furthermore, some of the clippers abused OCR [optical character recognition] to extract mnemonic phrases out of images saved on the victims’ devices, a malicious use of the screen reading technology that we saw for the first time.”
The cybersecurity researchers also said they found Windows versions of the wallet-switching clippers, together with Telegram and WhatsApp installers for Windows, packed with remote access trojans (RATs).
“Through their various modules, the RATs enable the attackers control over the victims’ machines.”
From a technical standpoint, Stefanko and Strýček explained that trojanizing Telegram was a relatively straightforward task for the threat actors, as the app’s code is open source.
“On the other hand, WhatsApp’s source code is not publicly available, which means that before repackaging the application with malicious code, the threat actors first had to perform an in-depth analysis of the app’s functionality to identify the specific places to be modified,” reads the ESET advisory.
In terms of victims, the malware researchers said the trojanized versions of WhatsApp and Telegram apps mainly targeted Chinese-speaking users.
“Because both Telegram and WhatsApp have been blocked in China for several years now […] people who wish to use these services have to resort to indirect means of obtaining them,” Stefanko and Strýček wrote. “Unsurprisingly, this constitutes a ripe opportunity for cyber-criminals to abuse the situation.”
A separate malware campaign also aimed at cryptocurrency theft was recently discovered by Proofpoint.