top of page

New Android and Windows Cryptocurrency Clipper Malware Found in Instant Messaging Apps

Android and Windows users beware: there are fake versions of Telegram and WhatsApp being used to distribute cryptocurrency clipper malware. This malware is designed to intercept a victim's chats and replace any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors. This marks the first time Android-based clipper malware has been built into instant messaging apps. The attack chain begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp websites. Once the victim downloads and installs the app, the malware is able to access the victim's chats and replace cryptocurrency wallet addresses. Another cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, thereby making it possible to empty the wallets. So how can you protect yourself? Be cautious of any links you click on, even if they appear to be from a trusted source. If you're directed to a website to download an app, make sure you double-check that the website is legitimate. And as always, keep your antivirus software up-to-date.


bottom of page