Dozens of websites set up to deliver ‘trojanised’ versions of WhatsApp and Telegram have been seen targeting Android and Windows users. Trojanized version is a type of malware whose main objective is to create a gateway so that other malicious software can invade a system.
As discovered by ESET security researchers, most of these applications rely on the Clipper trojan, designed to steal or modify the contents of the Android clipboard.
“All of them are after victims’ cryptocurrencies, targeting multiple cryptocurrency wallets. This is the first time we have seen Android clippers targeting instant messaging apps specifically,” wrote ESET malware researchers Lukas Stefanko and Peter Strýček in a press release on Thursday.
“Furthermore, some of the clippers exploited the OCR system [reconhecimento óptico de caracteres] to extract mnemonic phrases from images saved on victims’ devices, a malicious use of screen-reading technology that we’ve seen for the first time.”
Cybersecurity researchers are also said to have found Windows versions of the transfer clippers, along with Telegram and WhatsApp installers for Windows, packed with remote access trojans (RATs). “Through their various modules, RATs allow attackers to control victims’ machines,” they said.
From a technical point of view, Stefanko and Strýček explained that ‘trojanizing’ Telegram was a relatively simple task for attackers, as the application’s code is open source.
Look this
WhatsApp admits use of proxy to ‘bypass’ internet censorship
Telegram and Discord are used to spread and execute malware
“On the other hand, WhatsApp’s source code is not publicly available, which means that before ‘repackaging’ the app with malicious code, attackers first had to perform an in-depth analysis of the app’s functionality to identify the specific locations to be modified,” reads the ESET statement.
In terms of victims, malware researchers said that trojanized versions of the WhatsApp and Telegram apps mainly targeted Chinese-speaking users. “As Telegram and WhatsApp have been blocked in China for several years[…], people who want to use these services have to resort to indirect means to obtain them,” wrote Stefanko and Strýček. “Unsurprisingly, this constitutes an opportunity for cybercriminals to abuse the situation.”
/nginx/o/2023/03/19/15208069t1h6c57.jpg?resize=150%2C150&ssl=1)