The ESET research team discovered dozens of Websites posing as Telegram and WhatsApp, targeting Android and Windows users, with Trojanized versions of the messaging apps.
Most of the malicious applications identified are clippers (the clipper is a type of malware that steals or alters the content of the clipboard clipboard), and It is the first time that ESET sees the use of this type of malware for Android disguised as instant messaging applications.. Besides, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on compromised devicesanother first for Android malware.
This type of malicious code is attractive to cybercriminals interested in stealing cryptocurrency, as it Online wallet addresses are made up of long strings of characters, and instead of typing them, users tend to copy and paste them.. By using this type of malware, it is possible to intercept the contents of the clipboard and steal any copied cryptocurrency wallet addresses.
“Not only were the first clippers in instant messaging applications identified, but several groups of them were also discovered. The main objective of the clippers is to intercept communications in the messaging applications used by the victim and replace any cryptocurrency wallet addresses sent and received with addresses belonging to the attackers. In addition to Trojanized versions of WhatsApp and Telegram for Android, they also found the same apps for Windows“, explains Camilo Gutiérrez Amaya, head of the ESET Latin America Research Laboratory.
ESET observed that applications behave in different ways. By pasting the cryptocurrency wallet address, the victim using the malicious version of the Telegram app will continue to see the original address until the app is restarted; after that, the address belonging to the attacker will be displayed. In WhatsApp, the victim will see her own address in the messages sent, but the recipient of the message will receive the address of the attacker.
The malicious version of WhatsApp (left) replaced the wallet address sent in the message to the recipient (right)
According to ESET analysis, The operators behind these threats buy Google ads that appear at the top of the search page and lead to fraudulent YouTube channels, from where victims are redirected to fake versions of messaging apps.. Besides, a particular Telegram group also announced a malicious version of the app which claimed to have a free proxy service outside of China. When ESET discovered these fraudulent advertisements and the related YouTube channels, it informed Google, who shut them down immediately.
Ads displayed when searching for Telegram to China
Trojan telegram offered in a group in the application itself.
“At first glance, it may seem complex how these rogue apps are distributed. However, With Telegram, WhatsApp, and Google Play blocked in China, Android users may be used to overcoming various hurdles to download apps that aren’t officially available.. Cyber criminals are aware of this and try to capture their victims from the very beginning, when the victim searches Google for a blocked app to download.Gutierrez added.
Fake WhatsApp YouTube channel directs potential victims to a fake site
Some tips to protect yourself on Android
- install apps only from reliable sourcessuch as Google Play Store.
- If the cryptocurrency wallet addresses are being shared via the Telegram Android app, check again if the sent address matches the one displayed after restarting the app. Otherwise, advise the recipient not to use the code and try to delete the message. Unfortunately, this technique cannot be applied to the trojanized version of WhatsApp for Android.
- Do not store unencrypted images or screenshots that contain sensitive informationsuch as mnemonic phrases, passwords, and private keys, on your device.
- If you think you have a trojanized version of Telegram or WhatsApp on your device, try manually removing it from your device and download the app from Google Play or directly from the legitimate site.
And some more for Windows
- If you are sure that the Telegram installer is legitimate, check if the digital signature of the file is valid and issued by Telegram FZ-LLC.
- If you suspect that the application is malicious, it is recommended to use a security solution to detect the threat and remove it.
- The only official version of WhatsApp for Windows is currently available on the Microsoft Store.
Disclaimer: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
It may interest you:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.