WhatsApp fake (Photo: ShutterStock)
The researchers of the information security company ESET revealed this morning (Monday) that they discovered dozens of WhatsApp and Telegram imitation sites that were mainly aimed at Android and Windows users, and included versions infected with Trojan horses.
Most of the detected malicious apps are of the "copy and paste" type - harmful that steal the contents of the clipboard or change it.
All the malicious ones are aimed at stealing the digital currencies of the victims, with some of them also aimed at the digital wallets themselves.
According to ESET, this is the first time the research body has come across copy-paste vulnerabilities for Android, which mainly focus on instant messages.
In addition, some applications used text recognition mechanisms from an image to extract text from screenshots stored on the affected devices, and this is also the first case found in Android vulnerabilities.
According to the language used in the fake software, it seems that those behind it aimed attacks mainly at Chinese-speaking users.
Since both Telegram and WhatsApp have been blocked in China for several years (WhatsApp has been blocked since 2017 and Telegram has been blocked since 2015), people who want to use these services are forced to obtain the software through indirect means.
How did the app's distribution method work?
The attackers set up Google ads that lead to YouTube channels with videos that led viewers to sites impersonating WhatsApp and Telegram.
ESET reported the fake ads and the relevant YouTube channels to Google, which quickly shut them all down.
"The main goal of the "copy and paste" malware we discovered is to intercept the victim's message communication and replace the sent and received wallet addresses with addresses belonging to the attackers. In addition to the pasted versions of the applications intended for Android, we also found pasted versions of the same applications for Windows," notes a researcher ESET, Lukas Stefanko, who discovered the infected apps.
Attackers set up Google ads that lead to YouTube channels, including videos that led viewers to sites impersonating WhatsApp and Telegram (Photo: GettyImages)
Although serving the same general purpose, the patched versions of the apps offered several additional functions.
The discovered Android "copy and paste" malware is the first case of an Android malware that uses an image text recognition mechanism to read text from screenshots and images stored on the victim's device.
The mechanism for identifying a writer from an image is designed to locate and steal a seed phrase, which is a verbal code consisting of a series of words that is used to recover digital currency wallets.
Once the attackers obtain this initial password, they can steal all digital currencies directly from the wallet they are linked to.
In another case, the victim simply replaced the victim's digital wallet address with the attacker's in every chat message sent or received, when the addresses were stored in the victim's memory or downloaded from the attacker's server.
In another case, the victim searched for specific words related to digital currencies within Telegram messages.
Once such a word was detected, the victim sent the complete message to the attacker's server.
ESET's research body also discovered Windows versions of these copy-paste malware, and installers for WhatsApp and Telegram that came with Trojan horses that allow remote access.
Contrary to the usual modus operandi of these malwares, one of the infected software packages does not include copy-paste malware, but remote control Trojans that allow full control of the victim's system.
In this way, those Trojan horses can steal digital wallets without intercepting the outgoing and incoming messages from the application.
What is the solution?
The security company recommends installing apps only from known and trusted places, such as the Google Play app store, and not storing photos or screenshots containing sensitive information without encryption on your devices.
If you think you have installed an infected version of Telegram or WhatsApp, remove it and download it from the official app store or the official website of the software distributor.
If you suspect that your Windows Telegram app is malicious, use a security solution to detect the threat and delete it for you.
The official version of WhatsApp is currently available only in the Microsoft Store.
technology
privacy and security
Tags
WhatsApp
WhatsApp