Fake Telegram and WhatsApp clones aim at crypto on Android and Windows

Currently, the scam targets users who speak Chinese.

ESET cybersecurity researchers have discovered trojanized instant messaging apps that deliver clippers malware. According to their analysis, these Android and Windows-based clippers can abuse instant messages and steal crypto wallet funds via OCR (optical character recognition).

This is the first time clippers have been discovered disguised as instant messaging apps.

Dozens of Fake Messaging Apps Discovered

Based on the findings shared by ESET researchers, dozens of fake Telegram and WhatsApp websites have surfaced. These websites primarily target Windows and Android users and deliver weaponized versions of Telegram and WhatsApp instant messaging apps loaded with a type of malware that modifies clipboard content, called Clippers.

Clippers were first discovered on the Google Play Store in 2019, and now they have been built into messaging apps.

The infection chain (ESET)

What are Clippers?

Clippers refer to malicious codes, also called clipper copies, that can alter a device’s clipboard content, which in the latest campaign leads the attackers to access their victims’ cryptocurrency wallets.

This happens because online cryptocurrency wallets’ addresses comprise long strings of characters, and users often copy/paste these addresses via the clipboard instead of entering them.

Clippers can recognize the text and help attackers steal crypto by intercepting the clipboard data and secretly replacing wallet addresses with those that can be accessed by criminals.

“The main purpose of the clippers is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers,”


Researchers Lukáš Štefanko and Peter Strýček wrote that Clippers are mainly launched to steal cryptocurrency, and many of them can target cryptocurrency wallets. These apps use OCR to recognize text from screenshots the user has stored on the device. This is also the first time this kind of tactic is used.

How are Users Targeted?

In their latest campaign, clipper operators are targeting Chinese-speaking users. They distribute the malware by creating Google Ads that lure users to fake YouTube channels, from where they are redirected to fake WhatsApp and Telegram websites.

Once a clipper infects a device, it uses OCR to find and steal seed phrases. For this, the apps leverage a legitimate machine learning plugin called ML Kit on Android.

Another clipper cluster tracks Telegram conversations for Chinese cryptocurrency-related keywords, either received from a server or hard-coded. If found, the cluster exfiltrates the complete message with channel name, username, and group name to a remote server.

The fourth cluster of Android clippers can switch the wallet address and steal device data and Telegram data like contacts and messages.

Fake Telegram and WhatsApp sites (ESET)

The names of malicious Android APK packages are as follows:

  • com.whatsapp
  • org.tgplus.messenger
  • org.telegram.messenger
  • io.busniess.va.whatsapp
  • org.telegram.messenger.web2

ESET also discovered two Windows clusters. One could swap wallet addresses, and the other distributed RATs (remote access trojans), most based on GH0st RAT, in place of clippers to hijack infected hosts and steal crypto.”

Related Posts