Copycat websites for instant messaging apps like Telegram and WhatApp are being used to distribute trojanized versions and infect Android and Windows users with cryptocurrency clipper malware.

“All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets,” ESET researchers Lukáš Štefanko and Peter Strýček said in a new analysis.

While the first instance of clipper malware on the Google Play Store dates back to 2019, the development marks the first time Android-based clipper malware has been built into instant messaging apps.

“Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware,” the Slovak cybersecurity firm added.

The attack chain begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp websites.

What’s novel about the latest batch of clipper malware is that it’s capable of intercepting a victim’s chats and replacing any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.

Another cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, thereby making it possible to empty the wallets.

A third cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords related to cryptocurrencies, both hard-coded and received from a server, and if so, exfiltrate the complete message, along with the username, group or channel name, to a remote server.

Lastly, a fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts.

The rogue Android APK package names are listed below –

  • org.telegram.messenger
  • org.telegram.messenger.web2
  • org.tgplus.messenger
  • com.whatsapp

ESET said it also found two Windows-based clusters, one which is engineered to swap wallet addresses and a second group that distributes remote access trojans (RATs) in place of clippers to gain control of infected hosts and perpetrate crypto theft.

All the analyzed RAT samples are based on the publicly available Gh0st RAT, barring one, which employs more anti-analysis runtime checks during its execution and uses the HP-socket library to communicate with its server.

It’s also worth pointing out that these clusters, despite following an identical modus operandi, represent disparate sets of activity likely developed by different threat actors.

The campaign, like a similar malicious cyber operation that came to light last year, is geared towards Chinese-speaking users, primarily motivated by the fact that both Telegram and WhatsApp are blocked in the country.

“People who wish to use these services have to resort to indirect means of obtaining them,” the researchers said. “Unsurprisingly, this constitutes a ripe opportunity for cybercriminals to abuse the situation.”