Weaponized Telegram & WhatsApp Apps

ESET Research discovered the first incidence of clippers present in messaging apps. Several fake Telegram and WhatsApp websites have been found, mostly targeting Android and Windows users with trojanized versions of these instant messaging services. 

Notably, the majority of the harmful apps that researchers found are clippers, a type of malware that steals or alters the contents of the clipboard. 

They are all pursuing their victims’ cryptocurrency funds, with several focusing on cryptocurrency wallets.

Researchers say some of these apps use optical character recognition (OCR), another first for Android malware, to identify text from screenshots saved on the hacked devices.

What is a Clipper?

A malicious piece of code known as clipper copies or modifies content in the clipboard of a machine. 

Because addresses for online cryptocurrency wallets are made up of long strings of characters and users frequently copy and paste addresses using the clipboard rather than entering them, clippers are appealing to fraudsters looking to steal cryptocurrency.

A clipper can exploit this by intercepting the information on the clipboard and covertly replacing any cryptocurrency wallet addresses with those the criminals can access.

“The main purpose of the clippers is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers,” ESET reports.

How has it Been Distributed?

These are targeted mostly at Chinese-speaking customers by its operators. The threat actors first create Google Ads that target viewers to fake YouTube channels, which then reroutes them to fake Telegram and WhatsApp websites.

https://www.welivesecurity.com/wp-content/uploads/2023/03/figure01.png
Distribution diagram

It’s possible that since Google Play, Telegram, and WhatsApp are all restricted in China, Android users are used to jumping through multiple hoops to access officially unobtainable apps. 

Since they are aware of this, cybercriminals aim to ensnare their victims as soon as they start searching for WhatsApp or Telegram on Google.

https://www.welivesecurity.com/wp-content/uploads/2023/03/figure03.png
Paid advertisement when searching for Chinese Telegram

“We found hundreds of YouTube channels pointing to dozens of counterfeit Telegram and WhatsApp websites. These sites impersonate legitimate services and provide both desktop and mobile versions of the app for download. None of the analyzed apps were available on the Google Play store”, researchers.

https://www.welivesecurity.com/wp-content/uploads/2023/03/figure06_1.png
Websites mimicking Telegram and WhatsApp.

Researchers mention that the fake websites provide download links for Telegram and WhatsApp for all supported operating systems. Still, all Linux and macOS connections, as well as the majority of iOS links, lead to the actual websites for the respective applications. 

After the investigation was conducted, the apps were no longer accessible for download in the case of the few iOS links that do lead to fake websites.

Android Trojans

The main goal of the trojanized Android apps is to intercept victims’ chat conversations and either exchange any cryptocurrency wallet addresses for the attackers or exfiltrate sensitive information that would allow attackers to steal victims’ cryptocurrency funds.

The trojanized Telegram and WhatsApp apps act differently when replacing wallet addresses. When a victim uses a malicious Telegram app, the victim will continue to view the attacker’s address until the app is restarted. At that point, the attacker’s address will be displayed.

 In contrast, if utilizing a trojanized WhatsApp, the victim’s address will be visible in sent messages, but the recipient will see the attacker’s address.

https://www.welivesecurity.com/wp-content/uploads/2023/03/figure07-1024x969.png
Malicious WhatsApp (left) replaced the sent wallet address in the message for the recipient (right)

Windows Trojans

Researchers say both remote access trojans and clippers are included in the Windows versions. The RATs are able to do a larger range of harmful acts, such as taking screenshots and deleting files, whereas clippers primarily focus on crypto-stealing.

Some of them have the ability to alter the clipboard, enabling them to steal cryptocurrency wallets. The exact domains as the Android versions were hosted to the Windows apps.

Remote Access Trojans

The threat actors can carry out operations including stealing clipboard data, logging keystrokes, querying the Windows Registry, capturing the screen, getting system information, and conducting file operations with the help of the many modules that they contain.

“With one exception, all the remote access trojans we analyzed were based on the notorious Gh0st RAT, malware that is frequently used by cybercriminals due to its public availability”, researchers.

Hence, threat actors use Telegram and WhatsApp applications for Android and Windows that trojans have compromised to steal cryptocurrency from their victims.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.