ESET researchers analyzed Android and Windows clippers that can tamper with instant messages and use OCR to steal cryptocurrency funds

ESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers a type of malware that steals or modifies the contents of the clipboard. All of them are after victims cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time we have seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.

Prior to the establishment of the App Defense Alliance, we discovered the first Android clipper on Google Play, which led to Google improving Android security by restricting system-wide clipboard operations for apps running in the background for Android versions 10 and higher. As is unfortunately shown by our latest findings, this action did not succeed in weeding the problem out completely: not only did we identify the first instant messaging clippers, we uncovered several clusters of them. The main purpose of the clippers we discovered is to intercept the victims messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps.

Of course, these are not the only copycat applications to go after cryptocurrencies just at the beginning of 2022, we identified threat actors focused on repackaging legitimate cryptocurrency applications that try to steal recovery phrases from their victims wallets.

Due to the different architecture of Telegram and WhatsApp, the threat actors had to choose a different approach to create trojanized versions of each of the two. Since Telegram is an open-source app, altering its code while keeping the apps messaging functionality intact is relatively straightforward. On the other hand, WhatsApps source code is not publicly available, which means that before repackaging the application with malicious code, the threat actors first had to perform an in-depth analysis of the apps functionality to identify the specific places to be modified.

Despite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. For better ease of analysis and explanation, we split the apps into several clusters based on those functionalities; in this blogpost, we will describe four clusters of Android clippers and two clusters of malicious Windows apps. We will not go into the threat actors behind the apps, as there are several of them.

Before briefly describing those app clusters though, what is a clipper and why would cyberthieves use one? Loosely, in malware circles, a clipper is a piece of malicious code that copies or modifies content in a systems clipboard. Clippers are thus attractive to cybercriminals interested in stealing cryptocurrency because addresses of online cryptocurrency wallets are composed of long strings of characters, and instead of typing them, users tend to copy and paste the addresses using the clipboard. A clipper can take advantage of this by intercepting the content of the clipboard and surreptitiously replacing any cryptocurrency wallet addresses there with one the thieves can access.

Cluster 1 of the Android clippers also constitutes the first instance of Android malware using OCR to read text from screenshots and photos stored on the victims device. OCR is deployed in order to find and steal a seed phrase, which is a mnemonic code comprised of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.

Compared to Cluster 1s use of advanced technology, Cluster 2 is very straightforward. This malware simply switches the victims cryptocurrency wallet address for the attackers address in chat communication, with the addresses either being hardcoded or dynamically retrieved from the attackers server. This is the only Android cluster where we identified trojanized WhatsApp samples in addition to Telegram.

Cluster 3 monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends the full message to the attacker server.

Lastly, the Android clippers in Cluster 4 not only switch the victims wallet address, but they also exfiltrate internal Telegram data and basic device information.

Regarding the Windows malware, there was a cluster of Telegram cryptocurrency clippers whose members simply intercept and modify Telegram messages in order to switch cryptocurrency wallet addresses, just like the second cluster of Android clippers. The difference is in the source code of the Windows version of Telegram, which required additional analysis on the part of the malicious actors, to be able to implement inputting their own wallet address.

In a departure from the established pattern, the second Windows cluster is not comprised of clippers, but of remote access trojans (RATs) that enable full control of the victims system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.

Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users.

Because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017, people who wish to use these services have to resort to indirect means of obtaining them. Unsurprisingly, this constitutes a ripe opportunity for cybercriminals to abuse the situation.

In the case of the attacks described in this blogpost, the threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirect the unfortunate viewers to copycat Telegram and WhatsApp websites, as illustrated in Figure 1. On top of that, one particular Telegram group also advertised a malicious version of the app that claimed to have a free proxy service outside of China (see Figure 2). As we discovered these fraudulent ads and related YouTube channels, we reported them to Google, which promptly shuttered them all.

Figure 1. Distribution diagram

Figure 2. Trojanized Telegram app offered in Telegram group

At first glance, it might seem that the way these copycat apps are distributed is quite convoluted. However, it is possible that with Telegram, WhatsApp, and the Google Play app all being blocked in China, Android users there are used to jumping through several hoops if they want to obtain officially unavailable apps. Cybercriminals are aware of this and try to ensnare their victims right from the get-go when the victim searches Google for either a WhatsApp or a Telegram app to download. The threat actors purchased Google Ads (see Figure 3) that redirect to YouTube, which both helps the attackers to get to the top of search results, and also avoids getting their fake websites flagged as scams, since the ads link to a legitimate service that Google Ads presumably considers very trustworthy.

Figure 3. Paid advertisement when searching for Chinese Telegram

The links to the copycat websites can usually be found in the About section of the YouTube channels. An example of such a description can be seen in a very rough translation in Figure 4.

Figure 4. Fraudulent WhatsApp YouTube channel that points to a fake website

During our research, we found hundreds of YouTube channels pointing to dozens of counterfeit Telegram and WhatsApp websites some can be seen in Figure 5. These sites impersonate legitimate services (see Figure 6) and provide both desktop and mobile versions of the app for download. None of the analyzed apps were available on the Google Play store.

Figure 5. Fake channels available on YouTube

Figure 6. Websites mimicking Telegram and WhatsApp

We found various types of malicious code being repackaged with legitimate Telegram and WhatsApp apps. While the analyzed apps have sprung up at more or less at the same time using a very similar pattern, it seems that they were not all developed by the same threat actor. Besides most of the malicious apps being able to replace cryptocurrency addresses in Telegram and WhatsApp communications, there are no indications of further connections between them.

While the fake websites offer download links for all operating systems where Telegram and WhatsApp are available, all Linux and macOS links, as well as most iOS links, redirect to the services official websites. In the case of the few iOS links that do lead to fraudulent websites, the apps were no longer available for download at the time of our analysis. Windows and Android users thus constitute the main targets of the attacks.

The main purpose of the trojanized Android apps is to intercept victims chat messages, and either swap any cryptocurrency wallet addresses for those belonging to the attackers, or exfiltrate sensitive information that would allow attackers to steal victims cryptocurrency funds. This is the first time we have seen clippers that specifically target instant messaging.

To be able to modify messages, the threat actors had to thoroughly analyze the original code of both services apps. Since Telegram is an open-source application, the cybercriminals only had to insert their own malicious code into an existing version and compile it; in the case of WhatsApp, however, the binary had to be modified directly and repackaged to add the malicious functionality.

We observed that when replacing wallet addresses, the trojanized apps for Telegram behave differently from those for WhatsApp. A victim using a malicious Telegram app will keep seeing the original address until the application is restarted, whereupon the displayed address will be the one that belongs to the attacker. In contrast, the victims own address will be seen in sent messages if using a trojanized WhatsApp, while the message recipient will receive the attacker address. This is shown in Figure 7.

Figure 7. Malicious WhatsApp (left) replaced sent wallet address in message for recipient (right)

Cluster 1 is the most intriguing, since its members constitute the first known instance of OCR abuse in any Android malware. In this case, trojanized Telegram apps use a legitimate machine learning plugin called ML Kit on Android to search the victims device for images with .jpg and .png extensions, the most common screenshot formats on Android. The malware looks for screenshots of cryptocurrency wallet recovery phrases (also known as mnemonics) that the victim might have kept on the device as a backup.

Malicious functionality that iterates through files on the device and runs them through the OCR recognizeText function can be seen in Figure 8.

Figure 8. Malicious code responsible for retrieving images and pictures from the device and OCRing them

As shown in Figure 9, if the recognizeText finds the string mnemonic or (mnemonic in Chinese) in the text extracted from the image, it sends both the text and the image to the C&C server. In select cases we have seen the list of keywords expanded to eleven entries, specifically , Mnemonic, memorizing, Memorizing, recovery phrase, Recovery Phrase, wallet, METAMASKA, Phrase, secret, Recovery phrase.

Figure 9. Image and the recognized text within are sent to the attackers C&C server

In contrast with Cluster 1, which employs advanced methods to aid in its malicious activities, the second cluster of Android clippers is the least complicated among the four: these malicious apps simply swap wallet addresses, without further malicious functionality. The trojans in Cluster 2 mostly replace addresses for bitcoin, Ethereum, and TRON coin wallets, with a few of them also being able to switch wallets for Monero and Binance. The way the messages are intercepted and modified can be seen in Figures 10 and11.

Figure 10. Telegram message interception by malicious code

Figure 11. Malicious code responsible for replacing wallet addresses in Telegram messages

Cluster 2 is the only Android cluster where we found not only Telegram, but also WhatsApp samples. Both types of trojanized apps either have a hardcoded list of attacker wallet addresses (as seen in Figure 11) or dynamically request them from a C&C server, as seen in Figure 12.

Figure 12. Bitcoin, Ethereum and TRON wallet addresses received from C&C server

This cluster monitors Telegram communication for particular keywords in Chinese, such as mnemonic, bank, address, account and Yuan. Some of the keywords are hardcoded, while others are received from the C&C server, meaning they could be changed or expanded at any time. Once a Cluster 3 clipper recognizes a keyword, the whole message, along with the username, group or channel name, is sent to the C&C server, as can be seen in Figure 13.

Figure 13. Clipper exfiltrates a message if keyword was detected

The last identified cluster of Android clippers, Cluster 4, can not only replace cryptocurrency addresses, but also exfiltrate the victims Telegram data by obtaining their configuration files, phone number, device information, pictures, Telegram username, and the list of installed apps. Logging into these malicious versions of the Telegram app means that all the personal internal data stored within, such as messages, contacts, and configuration files, become visible to the threat actors.

To demonstrate, lets focus on this clusters most intrusive trojanized app: this malware combs the internal Telegram storage for all files smaller than 5.2MB and without a.jpg extension and steals them. Additionally, it can also exfiltrate basic information about the device, the list of installed applications, and phone numbers. All the stolen files are archived in an info.zip file, which is then exfiltrated to the C&C. All malware within this cluster uses the same ZIP filename, suggesting a common author or codebase. The list of the files exfiltrated from our analysis device can be seen in Figure 14.

Figure 14. Private Telegram user files that are exfiltrated to the C&C server

As opposed to the trojanized Android apps we discovered, the Windows versions consist not only of clippers, but also of remote access trojans. While the clippers focus mainly on cryptostealing, the RATs are capable of a wider variety of malicious actions such as taking screenshots and deleting files. Some of them can also manipulate the clipboard, which would allow them to steal cryptocurrency wallets. The Windows apps were found at the same domains as the Android versions.

We discovered two samples of Windows cryptocurrency clippers. Just like Cluster 2 of the Android clippers, these intercept and modify messages sent via a trojanized Telegram client. They use the same wallet addresses as the Android cluster, meaning that they most probably come from the same threat actor.

The first of the two clipper samples is distributed as a portable executable with all the necessary dependencies and information embedded directly in its binary. This way, no installation takes place after the malicious program is executed, keeping the victim unaware that something is amiss. The malware intercepts not only messages between users, but also all saved messages, channels, and groups.

Similar to the related Android Cluster 2, the code responsible for modifying the messages uses hardcoded patterns to identify the cryptocurrency addresses inside messages. These are highlighted in yellow in Figure 15. If found, the code replaces the original addresses with the corresponding addresses belonging to the attacker (highlighted in red). This clipper focuses on bitcoin, Ethereum, and TRON.

Figure 15. Decompiled code with hardcoded patterns and wallet addresses

The second clipper uses a standard installation process, the same as the legitimate Telegram installer. However, even if the process outwardly appears innocent, the installed executable is far from benign. Compared to legitimate Telegram, it contains two additional files encrypted using a single byte XOR cipher with the key 0xff. The files contain a C&C server address and an agent ID used to communicate with the C&C.

This time, no hardcoded addresses are used. Instead, the clipper obtains both the message patterns and the corresponding cryptocurrency wallet addresses from the C&C via an HTTP POST request. The communication with the C&C works in the same way as shown in Cluster 2 of Android clippers (Figure 12).

In addition to swapping cryptocurrency wallet addresses, this clipper can also steal the victims phone number and Telegram credentials. When a person compromised by this trojanized app tries to log in on a new device, they are requested to put in the login code sent to their Telegram account. Once the code arrives, the notification is automatically intercepted by the malware, and the verification code along with the optional password end up in the hands of the threat actors.

Similar to the first Windows clipper sample, any message sent using this malicious version of Telegram containing bitcoin, Ethereum, or TRON cryptocurrency wallet addresses will be modified to replace the addresses for those provided by the attacker (see Figure 16). However, unlike the Android version, the victims will not be able to discover that their messages have been tampered with without comparing chat histories: even after restarting the app, the sender will always see the original version of the message since the relevant part of the code is executed again on application start; the recipient, on the other hand, will only receive the attacker wallet.

Figure 16. Legitimate Telegram client (left) and trojanized one (right)

The rest of the malicious apps we discovered are distributed in the form of Telegram and WhatsApp installers bundled with remote access trojans. Once the RATs have gained access to the system, neither Telegram nor WhatsApp need to run for the RATs to operate. In the observed samples, malicious code was mostly executed indirectly by using DLL Side-loading, thus allowing the attackers to hide their actions behind the execution of legitimate applications. These RATs differ significantly from the clippers, since they do not explicitly focus on stealing cryptocurrency wallets. Instead, they contain several modules with a wide range of functionalities, allowing the threat actors to perform actions such as stealing clipboard data, logging keystrokes, querying Windows Registry, capturing the screen, obtaining system information, and performing file operations. Each RAT we discovered used a slightly different combination of modules.

With one exception, all the remote access trojans we analyzed were based on the notorious Gh0st RAT, malware that is frequently used by cybercriminals due to its public availability. As an interesting aside, Gh0st RATs code uses a special packet flag set to Gh0st by default, a value that threat actors like to customize. In changing the flag, they can use something that makes more sense for their version of the malware, or they can use no flags at all. They can also, as in one case spotted during our analysis, reveal their deepest desires by changing the flag to lambo (as in, the nickname for the Italian luxury car brand; see Figure 17).

Figure 17. Hex-rays decompiled code with flag lambo

The only RAT among the group that wasnt completely based on Gh0st RAT used the code from the HP-socket library to communicate with its C&C server. Compared to the other RATs, this one uses significantly more anti-analysis runtime checks during its execution chain. While its source code certainly differs from the rest of the trojans discovered, its functionality is basically identical: it is capable of performing file operations, obtaining system information and the list of running programs, deleting profiles of commonly used browsers, downloading and running a potentially malicious file, and so on. We suspect that this is a custom build that could be inspired by the Gh0st implementation.

Install apps only from trustworthy and reliable sources such as the Google Play store.

If you are sharing cryptocurrency wallet addresses via the Android Telegram app, double check whether the address you sent matches the address that is displayed after restarting the application. If not, warn the recipient not to use the address and try to remove the message. Unfortunately, this technique cannot be applied to trojanized WhatsApp for Android.

Be aware that the previous tip does not apply in the case of trojanized Telegram; since the recipient of the wallet address only sees the attacker wallet, they will be unable to tell whether the address is genuine.

Do not store unencrypted pictures or screenshots containing sensitive information, such as mnemonic phrases, passwords, and private keys, on your device.

If you believe you have a trojanized version of Telegram or WhatsApp, manually remove it from your device and download the app either from Google Play, or directly from the legitimate website.

In case you are not sure whether your Telegram installer is legitimate, check if the files digital signature is valid and issued to Telegram FZ-LLC.

If you suspect that your Telegram app is malicious, we advise that you use a security solution to detect the threat and remove it for you. Even if you do not own such software, you can still use the free ESET Online Scanner.

The only official version of WhatsApp for Windows is currently available in the Microsoft store. If you installed the application from any other source, we advise you to delete it and then to scan your device.

During our research of trojanized Telegram and WhatsApp apps distributed through copycat websites, we discovered the first instances of Android clippers that intercept instant messages and swap victims cryptocurrency wallet addresses for the attackers address. Furthermore, some of the clippers abused OCR to extract mnemonic phrases out of images saved on the victims devices, a malicious use of the screen reading technology that we saw for the first time.

We also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans. Through their various modules, the RATs enable the attackers control over the victims machines.

This table was built using version 12 of the MITRE ATT&CK mobile techniques.

This table was built using version 12 of the MITRE ATT&CK enterprise techniques.

Read more:

Notsoprivate messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets - We Live Security