Cybersecurity analysts at ESET recently identified several fraudulent websites mimicking the popular messaging apps, Telegram and WhatsApp.
While these fake websites are primarily targeted at the users of the following platforms to attack them with tampered versions of Telegram and WhatsApp apps:-
Android
Windows
Apart from this, the security researchers found that a significant number of the apps they examined are classified as “clippers”. So, these are types of malware that have the capability to steal or modify clipboard data.
Most of them mainly target the users’ cryptocurrency wallets, and not only that, but even some of them also target the victims’ cryptocurrency funds. The Android clippers specifically targeting instant messaging were seen for the first time.
From the affected devices, these apps also seek the saved screenshots, from which they identify the texts with the help of OCR, and for Android malware, this event is also observed for the first time.
Distribution Analysis
It has been suspected that the operators behind these copycat applications mainly target Chinese-speaking users, as evidenced by their language usage in the copycat applications.
The occurrence of such a scenario is completely due to the ban on these two applications in China. In China, both of these applications are banned since:-
Telegram (2015)
WhatsApp (2017)
As part of their distribution strategy, the threat actors create fake YouTube channels by setting up Google Ads, and with these ads, they lead users to fraudulent YouTube channels.
After that, viewers are directed to fake websites pretending to be legit Telegram and WhatsApp websites.
While this whole mechanism becomes quite easy for the threat actors due to the ban on these applications in China. As a result, the victims get easily tricked with such lures.
Google Ads, on the other hand, facilitate threat actors with two key facilities, and here below we have mentioned the:-
Easily get to the top of search results.
Help them to avoid getting their websites flagged as scams or fraudulent.
You can usually find links to copycat websites in the “About” section of the fake YouTube channels.
Apart from this, a multitude of fraudulent YouTube channels was discovered by security analysts during their analysis.
They found all of them were linked to dozens of fake Telegram and WhatsApp websites that were being advertised on the channels.
Android & Windows Trojans
The trojanized Android apps are primarily used for the following purposes:-
Track and monitor the chat messages of the victim.
Replace the cryptocurrency wallet addresses of the victim with the attacker’s ones.
Sensitive data exfiltration to steal cryptocurrency funds of the victims.
When replacing wallet addresses, the trojanized Telegram and WhatsApp apps behave in a different way.
As a result of the threat actors’ extensive analysis of the original code of the apps developed by both of these services, they were able to modify messages in both services.
Cybercriminals did not need to create a new version of Telegram since it is an open-source application. While adding the malicious functionality to WhatsApp, it was necessary to modify the binary directly and repackage it, since it’s not open-source like Telegram.
When utilizing a trojanized WhatsApp, the recipient will see the attacker’s address, rather than the victim’s.
On the other hand, the Windows versions make use of clippers in addition to remotely accessible trojans, unlike the Android versions, which only contain clippers.
Clippers are mostly used to steal crypto, while RATs can take screenshots and delete files, among other malicious activities. The threat actors used the same domain to host the malicious applications, where both Android and Windows versions were hosted.
Moreover, it has been observed that cybercriminals frequently use RATs that are mostly based on the Gh0st RAT, an openly available remote access trojan.
Mitigation
For prevention of such circumstances, the security researchers have strongly recommended users:-
Make sure to download applications from official stores only.
Do not click on any untrusted links received from unknown sources via email or messaging apps.
Always use two-factor authentication.
Do not use any used or compromised passwords.
Always use robust antivirus tools.
Before installing any application on your Windows system from other sources, make sure to check the authenticity of the source and app.