Recently, websites mimicking instant messaging applications such as Telegram and WhatsApp have been used to distribute malware that infects Android and Windows systems. This malware is known as cryptocurrency clipper malware, which aims to steal victims' cryptocurrency funds, with some specifically targeting cryptocurrency wallets.
Researchers Lukáš Štefanko and Peter Strýček from Slovakian cybersecurity company ESET stated in their latest analysis report,
All of these malicious applications target victims' cryptocurrency funds, with some targeting cryptocurrency wallets.
Although the first instance of cryptocurrency clipper malware on Google Play Store can be traced back to 2019, this development marks the first time Android-based cryptocurrency clipper malware has been built into instant messaging applications.
Moreover, some of these applications also use optical character recognition (OCR) technology to identify text from screenshots stored on infected devices, which is also a first in Android malware.
The attack chain begins with unintentionally clicking on fraudulent ads on Google search results, leading to hundreds of suspicious YouTube channels, eventually redirecting users to websites similar to Telegram and WhatsApp.
What makes this latest batch of cryptocurrency clipper malware novel is its ability to intercept victims' chat logs and replace any sent or received cryptocurrency wallet addresses with those controlled by threat actors.
Another cluster of cryptocurrency clipper malware uses ML Kit, a legitimate machine learning plugin on Android, to find and steal seed phrases, potentially resulting in emptying wallets.
A third cluster of malware aims to monitor Telegram conversations related to certain Chinese keywords related to cryptocurrency. If any relevant messages are found, it leaks the entire message, username, group or channel name, and other data to remote servers.
Lastly, an Android clipper set has more functionalities, including switching wallet addresses, collecting device information, and Telegram data such as messages and contacts.
The following are the names of these malicious APK software packages:
org.telegram.messenger
org.telegram.messenger.web2
org.tgplus.messenger
io.busniess.va.whatsapp
com.whatsapp
ESET also discovered two Windows-based clusters, one designed for swapping wallet addresses and the other distributing remote access.
