For better ease of analysis and explanation, we split the apps into several clusters based on those functionalities in this blogpost, we will describe four clusters of Android clippers and two clusters of malicious Windows apps. On the other hand, WhatsApp’s source code is not publicly available, which means that before repackaging the application with malicious code, the threat actors first had to perform an in-depth analysis of the app’s functionality to identify the specific places to be modified.ĭespite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. Since Telegram is an open-source app, altering its code while keeping the app’s messaging functionality intact is relatively straightforward. Overview of the trojanized appsĭue to the different architecture of Telegram and WhatsApp, the threat actors had to choose a different approach to create trojanized versions of each of the two. Of course, these are not the only copycat applications to go after cryptocurrencies – just at the beginning of 2022, we identified threat actors focused on repackaging legitimate cryptocurrency applications that try to steal recovery phrases from their victims’ wallets. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps. The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. As is unfortunately shown by our latest findings, this action did not succeed in weeding the problem out completely: not only did we identify the first instant messaging clippers, we uncovered several clusters of them. Prior to the establishment of the App Defense Alliance, we discovered the first Android clipper on Google Play, which led to Google improving Android security by restricting system-wide clipboard operations for apps running in the background for Android versions 10 and higher. In addition to clippers, we also found remote access trojans (RATs) bundled with malicious Windows versions of WhatsApp and Telegram.Some of the clippers abuse optical character recognition to extract text from screenshots and steal cryptocurrency wallet recovery phrases.The malware can switch the cryptocurrency wallet addresses the victim sends in chat messages for addresses belonging to the attacker.Threat actors are going after victims’ cryptocurrency funds using trojanized Telegram and WhatsApp applications for Android and Windows.ESET Research has found the first instance of clippers built into instant messaging apps.
0 kommentar(er)
