Programs are capable of replacing the wallet address and reading users’ seed phrases

​ESET Research finds cryptocurrency-stealing trojans on WhatsApp and Telegram

20.03.2023 - 09:45


3 min

What’s new? ESET, an antivirus software developer, detected trojans embedded in messengers WhatsApp and Telegram for Android and Windows operating systems. According to ESET, attackers first place Google ads leading to fraudulent YouTube channels, which then redirect users to fake app sites. A downloaded version of the messenger with malware can replace cryptocurrency wallet addresses that victims send in chat messages.

Blog entry

How does the malware work? Some clippers use optical character recognition to extract text from screenshots and steal seed phrases to recover crypto wallets.

Seed phrase as a modern cryptocurrency security standard

Seed phrase as a modern cryptocurrency security standard

Keep the seed phrase as the apple of your eye - that's the advice you can give to anyone starting their journey in cryptocurrencies

Read further

Clippers are a type of malware that steals or modifies the contents of the clipboard.

In addition to clippers, ESET also found trojans that allow remote access to victims’ devices using WhatsApp and Telegram for Windows. In some cases, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends a full message to the attacker’s server.

ESET noted that judging by the language used in the apps, the operators are targeting Chinese users. Since Telegram and WhatsApp have been blocked in China for several years, people wishing to use the apps are forced to resort to unofficial ways to install them.

To protect against trojans, ESET experts recommend deleting infected versions of messengers and installing applications only from reliable sources. In addition, it is recommended not to store unencrypted pictures or screenshots with sensitive information on your device.

Earlier, SafeGuard warned about new malware for stealing cryptocurrencies in Telegram. The malware was spread through spam with images and was hidden on the victim’s device as an operating system file. And analysts at Cyble revealed the PennyWise malware, which can steal data from 30 different crypto wallets, including cold ones. The malware is spread under the guise of free mining software, links to which are posted under tutorial videos on YouTube.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy