ESET researchers have uncovered a disconcerting trend of fake Telegram and WhatsApp websites popping up left and right, especially targeting Android and Windows users. These nefarious copycats contain Trojan horses that can modify the contents of your clipboard, otherwise known as clippers, in order to steal your cryptocurrency funds. This is particularly alarming as some of these apps even utilize optical character recognition (OCR) to read text from screenshots, a brand-new development in the world of Android malware.
Our team was able to determine that the main targets of these fraudulent applications were Chinese-speaking users, who have been cut off from accessing Telegram and WhatsApp by the Chinese government for several years now. It seems that the threat actors are exploiting this gap in the market, luring in users with fake Google Ads and fraudulent YouTube channels. Fortunately, ESET Research acted quickly and reported these misleading ads and channels to Google, who promptly shut them all down.
The purpose of these clippers is to replace any cryptocurrency wallet addresses belonging to victims with the addresses of the attackers, which can be hardcoded or dynamically retrieved from the attacker’s server. But the methods of attack vary greatly, with some using RATs (remote access trojans) to gain full control of the victim’s system and others monitoring Telegram communication for certain keywords related to cryptocurrencies.
So, what can you do to protect yourself? It’s crucial that you only download apps from trustworthy sources such as Google Play, and avoid storing unencrypted pictures or screenshots that contain sensitive information on your device. And if you suspect that you have a Trojanized version of Telegram or WhatsApp, be sure to manually remove it from your device and download the app either from Google Play or the legitimate website. For Windows users, remember that the only official version of WhatsApp is currently available in the Microsoft store.
Protect your Telegram and WhatsApp from trojanized versions targeting cryptocurrency wallets with SYC™- Secured Mobile Phone. Stay safe from malicious actors and keep your sensitive information secure.
