Cybercriminals are using copycat websites of popular instant messaging apps like Telegram and WhatsApp to distribute trojanized versions that infect Android and Windows users with cryptocurrency clipper malware.
ESET researchers have discovered that this latest batch of clipper malware can intercept a victim’s chats and replace any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.
The attack chain starts with unsuspecting users clicking on fraudulent ads on Google search results, which lead to hundreds of sketchy YouTube channels and then to lookalike Telegram and WhatsApp websites.
The latest clipper malware is capable of leveraging optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, another first for Android malware.
Another cluster of clipper malware uses OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, thereby making it possible to empty the wallets. A third cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords related to cryptocurrencies, and if so, exfiltrate the conversation.
Lastly, a fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts.
Although the clusters represent disparate sets of activity likely developed by different threat actors, they all aim to target cryptocurrency funds with several targeting cryptocurrency wallets.
The campaign, like a similar malicious cyber operation that came to light last year, is primarily geared towards Chinese-speaking users, as both Telegram and WhatsApp are blocked in the country, and people who wish to use these services have to resort to indirect means of obtaining them.
This constitutes a ripe opportunity for cybercriminals to abuse the situation.
