ESET researchers have discovered that dozens of copycat Telegram and WhatsApp websites are targeting Android and Windows users with trojanised versions of these instant messaging apps. Most of the malicious apps identified are clippers, which are a type of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This is the first time that ESET Research has seen Android clippers focusing specifically on instant messaging.

In addition to stealing cryptocurrency wallets, some of these apps use optical character recognition (OCR) to recognise text from screenshots stored on the compromised devices. This is another first for Android malware. Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users. This is because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017. People who wish to use these services have to resort to indirect means of obtaining them.

To access the fraudulent apps, the threat actors first set up Google Ads leading to fraudulent YouTube channels. These channels then redirected viewers to copycat Telegram and WhatsApp websites. ESET Research immediately reported the fraudulent ads and related YouTube channels to Google, which promptly shut them all down.

“The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanised WhatsApp and Telegram Android apps, we also found trojanised Windows versions of the same apps,” says ESET researcher Lukáš Štefanko, who discovered the trojanised apps.

Despite serving the same general purpose, the trojanised versions of these apps contain various additional functionalities. The analysed Android clippers constitute the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device. OCR is deployed to find and steal a seed phrase, which is a mnemonic code composed of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.

In another instance, the malware simply switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, with the addresses being either hardcoded or dynamically retrieved from the attacker’s server. In yet another instance, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognised, the malware sends the full message to the attacker’s server.

ESET Research also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans (RATs). In a departure from the established pattern, one of the Windows-related malware bundles is not composed of clippers but of RATs that enable full control of the victim’s system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.

ESET advises users to only install apps from trustworthy and reliable sources, such as the Google Play store, and not to store unencrypted pictures or screenshots containing sensitive information on their device. If users suspect that they have a trojanised version of Telegram or WhatsApp, they should manually remove it from their device and download the app either from Google Play or directly from the legitimate website. For Windows, if users suspect that their Telegram app is malicious, they should use a security solution to detect the threat and remove it. The only official version of WhatsApp for Windows is currently available in the Microsoft store.