Websites and applications that are popular or used by many people are often exploited by criminals to launch counterfeit versions to deceive the public. Recently, instant messaging apps Telegram and WhatApp have seen fake websites used to spread clipboard malware. Experts point out that the attacks are targeting Chinese users and cryptocurrencies.
Clipboard malware appeared on Google Play for the first time in 2019, but the Android clipboard malware discovered this time has two first-time features: first: it can be embedded in instant messaging applications; second: it can use optical Character Recognition (OCR) to recognize text in screenshots stored on infected devices.
ESET researchers Lukáš Štefanko and Peter Strýček said in their analysis that all attacks were directed at victims’ cryptocurrency funds, with some targeting cryptocurrency wallets.
The initiation of its attack chain begins when a user clicks on a scam advertisement on Google search results. There are hundreds of dubious channels on YouTube that point users to fake Telegram and WhatsApp knockoffs when they enter via Google, and then launch different attacks via clipboard malware, which can be roughly divided into four groups of methods:
1. Intercept the victim’s chat messages and replace the original sending and receiving cryptocurrency wallet addresses with addresses controlled by the cyber threat actor.
2. Utilizes OCR to find and steal cryptocurrency wallet seed phrases by using ML Kit, a legitimate machine learning plugin on Android, to empty the victim’s wallet.
3. Monitor conversations in Telegram that contain Chinese keywords related to cryptocurrencies, including words hard-coded and received from the server; if the keywords match, the full message will be sent together with the username, group or channel name leaked to a remote server.
4. Has the function of switching wallet addresses, collecting device information and Telegram data such as messages and contacts.
The following are suspicious Android APK package names:
org.telegram.messenger
org.telegram.messenger.web2
org.tgplus.messenger
io.busniess.va.whatsapp
com.whatsapp
ESET said they also discovered two Windows-based clusters, one targeting exchanging wallet addresses and the other distributing a remote access Trojan (RAT) to gain control of infected hosts for cryptocurrency theft. It’s worth noting that although the attacks are the same, they may have been developed by different cyberthreat actors.
Like a similar malicious cyber attack that came to light last year, the attacks were mainly targeting Chinese-speaking users, mainly because Telegram and WhatsApp are blocked in China. People who want to use these services but are blocked must gain access indirectly, providing cybercriminals with rich opportunities for intrusion, the researchers note.
Source: https://thehackernews.com/2023/03/lookalike-telegram-and-whatsapp.html?m=1
Related Articles:[Blockchain Games]P2E scams soared and e-wallet assets were emptied overnight