A new study by the information security company ESET reveals malicious versions of WhatsApp and Telegram used to steal digital currencies | all the details
The researchers of the information security company ESET discovered dozens of imitation websites of WhatsApp and Telegram that were mainly aimed at Android and Windows users, and included versions infected with Trojan horses. Most of the detected malicious applications are of the “copy and paste” type – harmful that steal the contents of the clipboard or change it. All the malicious ones are aimed at stealing the digital currencies of the victims, with some of them also aimed at the digital wallets themselves. This is the first time that ESET’s research body has come across copy-paste vulnerabilities for Android, which mainly focus on instant messages. In addition, some apps used image text recognition mechanisms to extract text from screenshots stored on the affected devices, and this is also the first case found in Android vulnerabilities.
According to the language used in the fake software, it seems that those behind it aimed attacks mainly at Chinese-speaking users. Since both Telegram and WhatsApp have been blocked in China for several years (WhatsApp has been blocked since 2017 and Telegram has been blocked since 2015), people who want to use these services are forced to obtain the software through indirect means.
The attackers set up Google ads that lead to YouTube channels with videos that led viewers to sites impersonating WhatsApp and Telegram. ESET reported the fake ads and the relevant YouTube channels to Google, which quickly shut them all down.
“The main goal of the “copy and paste” malware we discovered is to intercept the victim’s message communication and replace the wallet addresses that were sent and received with addresses belonging to the attackers. In addition to the pasted versions of the applications intended for Android, we also found pasted versions of the same applications for Windows,” notes a researcher ESET, Lukas Stefanko, who discovered the infected apps.
Although serving the same general purpose, the patched versions of the apps offered several additional functions. The copy-paste Android malware we’ve identified is the first case of an Android malware that uses an image text recognition mechanism to read text from screenshots and images stored on the victim’s device. The mechanism for identifying a writer from an image is designed to locate and steal a seed phrase, which is a verbal code consisting of a series of words that is used to recover digital currency wallets. Once the attackers obtain this initial password, they can steal all digital currencies directly from the wallet they are linked to.
In another case, the victim simply replaced the victim’s digital wallet address with the attacker’s in every chat message sent or received, when the addresses were stored in the victim’s memory or downloaded from the attacker’s server. In another case, the victim searched for specific words related to digital currencies within Telegram messages. Once such a word was detected, the victim sent the complete message to the attacker’s server.
ESET’s research body also discovered Windows versions of these copy-paste malware, and installers for WhatsApp and Telegram that came with Trojan horses that enable remote access. Contrary to the usual modus operandi of these malwares, one of the infected software packages does not include copy-paste malware, but remote control Trojans that allow full control of the victim’s system. In this way, those Trojan horses can steal digital wallets without intercepting the outgoing and incoming messages from the application.
ESET recommends installing apps only from known and trusted places, such as the Google Play app store, and not storing images or screenshots containing sensitive information without encryption on your devices. If you think you have installed an infected version of Telegram or WhatsApp, remove it and download it from the official app store or the official website of the software distributor.
If you suspect that your Windows Telegram app is malicious, use a security solution to detect the threat and delete it for you. The official version of WhatsApp is currently only available on the Microsoft Store.