Telegram, WhatsApp Trojanized to Target Cryptocurrency Wallets

Security

Dozens of websites set up to deliver trojanized versions of WhatsApp and Telegram apps have been spotted targeting Android and Windows users.

As discovered by security researchers at ESET, most of these apps rely on clipper malware designed to steal or modify the contents of the Android clipboard.

Read more on clipper malware here: Shein App Accessed Clipboard Data on Android Devices

“All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time we have seen Android clippers focusing specifically on instant messaging,” wrote ESET malware researchers Lukas Stefanko and Peter Strýček in a Thursday advisory.

“Furthermore, some of the clippers abused OCR [optical character recognition] to extract mnemonic phrases out of images saved on the victims’ devices, a malicious use of the screen reading technology that we saw for the first time.”

The cybersecurity researchers also said they found Windows versions of the wallet-switching clippers, together with Telegram and WhatsApp installers for Windows, packed with remote access trojans (RATs).

“Through their various modules, the RATs enable the attackers control over the victims’ machines.”

From a technical standpoint, Stefanko and Strýček explained that trojanizing Telegram was a relatively straightforward task for the threat actors, as the app’s code is open source.

“On the other hand, WhatsApp’s source code is not publicly available, which means that before repackaging the application with malicious code, the threat actors first had to perform an in-depth analysis of the app’s functionality to identify the specific places to be modified,” reads the ESET advisory.

In terms of victims, the malware researchers said the trojanized versions of WhatsApp and Telegram apps mainly targeted Chinese-speaking users.

“Because both Telegram and WhatsApp have been blocked in China for several years now […] people who wish to use these services have to resort to indirect means of obtaining them,” Stefanko and Strýček wrote. “Unsurprisingly, this constitutes a ripe opportunity for cyber-criminals to abuse the situation.”

A separate malware campaign also aimed at cryptocurrency theft was recently discovered by Proofpoint.

Products You May Like

Articles You May Like

Ukraine’s Security Service Probes GRU-Linked Cyber-Attack on State Registers
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
US Organizations Still Using Kaspersky Products Despite Ban
LockBit Developer Rostislav Panev Charged for Billions in Global Ransomware Damages
HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft

Leave a Reply

Your email address will not be published. Required fields are marked *