{"id":75918,"date":"2023-03-21T13:43:53","date_gmt":"2023-03-21T11:43:53","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=75918"},"modified":"2025-09-10T14:23:44","modified_gmt":"2025-09-10T11:23:44","slug":"clippers-can-read-seed-phrases-from-screenshots","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/clippers-can-read-seed-phrases-from-screenshots\/","title":{"rendered":"Clippers can read seed phrases from screenshots"},"content":{"rendered":"<p>Experts at ESET Research have detected Trojanized versions of Telegram and WhatsApp for Android and Windows designed to steal cryptocurrencies.<\/p>\n<blockquote class=\\\"twitter-tweet\\\">\n<p lang=\\\"en\\\" dir=\\\"ltr\\\"><a href=\\\"https:\/\/twitter.com\/hashtag\/ESETResearch?src=hash&#038;ref_src=twsrc%5Etfw\\\">#ESETResearch<\/a> reports on new <a href=\\\"https:\/\/twitter.com\/hashtag\/Android?src=hash&#038;ref_src=twsrc%5Etfw\\\">#Android<\/a> and <a href=\\\"https:\/\/twitter.com\/hashtag\/Windows?src=hash&#038;ref_src=twsrc%5Etfw\\\">#Windows<\/a> <a href=\\\"https:\/\/twitter.com\/hashtag\/cryptocurrency?src=hash&#038;ref_src=twsrc%5Etfw\\\">#cryptocurrency<\/a> clippers in the form of trojanized <a href=\\\"https:\/\/twitter.com\/hashtag\/WhatsApp?src=hash&#038;ref_src=twsrc%5Etfw\\\">#WhatsApp<\/a> and <a href=\\\"https:\/\/twitter.com\/hashtag\/Telegram?src=hash&#038;ref_src=twsrc%5Etfw\\\">#Telegram<\/a> apps. This is the first time we&#8217;ve seen Android clippers focusing on instant messaging. <a href=\\\"https:\/\/t.co\/BY9oa17Hzl\\\">https:\/\/t.co\/BY9oa17Hzl<\/a> <a href=\\\"https:\/\/twitter.com\/LukasStefanko?ref_src=twsrc%5Etfw\\\">@LukasStefanko<\/a> 1\/4<\/p>\n<p>\u2014 ESET Research (@ESETresearch) <a href=\\\"https:\/\/twitter.com\/ESETresearch\/status\/1636325690302779392?ref_src=twsrc%5Etfw\\\">March 16, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\\\"https:\/\/platform.twitter.com\/widgets.js\\\" charset=\\\"utf-8\\\"><\/script>\\n\\n\\n<\/p>\n<p>Clippers embedded in the messengers replace wallet addresses sent in chat with the attackers&#8217; addresses. Android applications also use <span data-descr=\\\"optical character recognition\\\" class=\\\"old_tooltip\\\">OCR<\/span> to read text from screenshots and photos stored on the victim&#8217;s device. In this way, hackers can steal the seed phrase.<\/p>\n<p>\\n\\n\\n<\/p>\n<p>One of the Windows malware packages consists not of clippers but of a <span data-descr=\\\"remote access trojan\\\" class=\\\"old_tooltip\\\">RAT<\/span>, which provides full control over the victim&#8217;s system without the need to intercept messaging traffic.<\/p>\n<p>\\n\\n\\n<\/p>\n<p>At this stage, the imitator apps are aimed at residents of China, where Telegram and WhatsApp have been blocked for several years. As a result, users often attempt to obtain the messengers via workarounds.<\/p>\n<p>\\n\\n\\n<\/p>\n<p>To lure potential victims, the hackers set up Google Ads that directed viewers to fraudulent YouTube channels, which then redirected viewers to sites impersonating Telegram and WhatsApp. Google has since blocked access to this advertising.<\/p>\n<p>\\n\\n\\n<\/p>\n<p>Earlier ForkLog reported on a new version of the Xenomorph trojan for Android capable of stealing credentials <a href=\"https:\/\/forklog.com\/en\/news\/sber-data-leak-arrest-of-doppelpaymer-bitcoin-extortionists-and-other-cybersecurity-events\">400 banks and 13 cryptocurrency wallets<\/a>.<\/p>\n<p>\\n<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Experts at ESET Research have detected Trojanized versions of Telegram and WhatsApp for Android and Windows designed to steal cryptocurrencies.<\/p>\n","protected":false},"author":1,"featured_media":75919,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[133,44,1246,723,1678],"class_list":["post-75918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-china","tag-cybercrime","tag-scammers","tag-telegram","tag-whatsapp"],"aioseo_notices":[],"amp_enabled":true,"views":"17","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=75918"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75918\/revisions"}],"predecessor-version":[{"id":75920,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/75918\/revisions\/75920"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/75919"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=75918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=75918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=75918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}