Main Takeaways
A global threat to crypto users posed by clipper malware remains active, powered by repackaged apps that intercept messages containing cryptocurrency addresses and swap them for criminals’ addresses.
The latest iteration of this attack has spread through very convincing but fake versions of popular messaging apps, both mobile and PC.
Binance’s Security team is working around the clock to monitor the threat, detect and blacklist scammers’ addresses, and raise public awareness to help users defend against this threat.
We have recently discussed the ongoing global threat of clipper malware, which primarily targets mobile users via fake and repackaged apps, including fake Binance apps. Not only the threat remains active but it evolves over time, recently shifting to a new mode of spread: fake messaging apps such as Telegram and WhatsApp, both on mobile and PC platforms.
In this follow-up post, we aim to further educate and alert our users to the evolving dangers of clipper malware and to outline the steps Binance’s Security team is taking to protect our community.
Recap: The Nature and History of Clipper Malware
Clipper malware is a type of bug programmed by cyber criminals to intercept clipboard data, most often cryptocurrency wallet addresses. The attack works by substituting the copied wallet address of the victim with an address controlled by the hacker. If the user unknowingly pastes this manipulated address while making a transaction, they will inadvertently send their funds to the hacker’s wallet.
The first widespread incident of this malware attack occurred in 2019, when a fake MetaMask app was uploaded to the Google Play Store. The app aimed to steal private keys and replace cryptocurrency addresses copied to the clipboard.
Since then, clipper malware has evolved, making its way into other apps, including cryptocurrency exchanges and messaging services.
In recent months, the scale of the threat has grown, with an increasing number of users across several regions becoming victims. Unfortunately, the wave of attacks is still posing a threat to the crypto community, especially as cybercriminals broaden their attack vectors to include not only fake crypto exchange apps but also repackaged messaging apps such as Telegram and WhatsApp, both on mobile and desktop.
The Expanding Threat: Fake and Repackaged Apps
The initial attack focused on fake exchange apps, including the Binance app, designed to steal users’ cryptocurrency. However, we have now uncovered a new disturbing trend: fake Telegram and WhatsApp apps repackaged by attackers and distributed via unofficial channels. These fake apps mimic the functionality of the legitimate applications while carrying out background attacks.
The malware apps scan every message for wallet addresses and replace them with the hacker’s addresses before displaying the manipulated information to the user.
WhatsApp (mobile)
Telegram (PC)
Telegram (mobile)
Even more concerning is that this attack is not limited to mobile devices. PC versions of these fake apps are equally dangerous, often bundled with Remote Access Trojans (RATs), which give attackers full control over the victim's system. Once inside, these RATs can steal sensitive information, including wallet credentials, and reroute funds without the user’s knowledge.
How Clipper Malware Works
Clipper malware attacks can unfold in several ways, but they all revolve around one core mechanism: manipulating clipboard data to intercept cryptocurrency transactions. Here’s how it works in various scenarios:
Mobile Apps (Telegram and WhatsApp):
A user downloads a fake Telegram or WhatsApp app from an unofficial website.
The app functions normally, but it monitors all messages and scans them for wallet addresses.
When a cryptocurrency wallet address is detected, the malware replaces it with the hacker’s address before the message is displayed to the user.
Alternatively, the malware intercepts at the time a user copies a wallet address displayed in these fake apps, and alters it upon pasting.
The user unknowingly sends funds to the hacker instead of the intended recipient.
PC Apps:
Similarly, fake PC versions of Telegram and WhatsApp are distributed, often bundled with RATs.
Once installed, the RAT operates silently in the background, giving the hacker remote control of the victim’s system.
The malware can steal wallet credentials or directly modify transactions, rerouting funds to the attacker’s wallet.
Even if the victim removes the fake app, the RAT may persist, continuing to pose a risk.
Targets: Vulnerable Users in Asia and the Middle East
A significant share of clipper malware victims come from regions where Google Play is not widely available, such as China and the Middle East.
Due to government-imposed restrictions, users in these areas often resort to third-party websites to download apps. This makes them particularly vulnerable to downloading fake, repackaged apps. For instance, many users in China search for “Telegram下载链接” (Telegram download link) or “Telegram 中文版下载链接 ” (Telegram Chinese version download link), leading them to fraudulent websites. These fake websites can look so sophisticated that it would be difficult for the average user to distinguish them from official ones.
Attackers often distribute the malicious apps through unofficial sources like YouTube or Baidu, and the apps function almost exactly like their legitimate counterparts. However, under certain conditions – such as when the user attempts to send cryptocurrency – the malware discreetly alters the wallet address to one belonging to the attacker.
Binance Security Team’s Ongoing Efforts
At Binance, protecting our users is a top priority, and our Security team has been actively working to counter these ongoing threats. We’ve taken several steps to detect and counteract clipper malware attacks:
Reverse engineering and blacklisting suspicious addresses: Binance’s Red Team has reverse-engineered many of these malicious apps, identifying the servers and wallet addresses used by the attackers. This allows us to take action against these malicious entities by conducting takedowns and blocking identified wallet addresses.
Enhanced Monitoring: We’ve deployed automated crawling systems to detect fake apps and malicious websites. This allows us to respond swiftly and remove these threats before they can harm our users.
Public Awareness Campaigns: Binance is actively informing our community about these threats through blog posts, social media alerts, and emails. We emphasize the importance of downloading apps only from official sources, such as Google Play or the Apple App Store, and avoiding third-party websites.
How to Protect Yourself
Here’s what you can do to stay safe from threats that clipper malware poses:
Download Apps from Official Sources: Always use legitimate app stores such as Google Play or the Apple App Store. Avoid third-party websites, even if they seem to offer localized versions of apps. Be cautious when installing applications and make sure you are installing the right apps.
Verify Wallet Addresses: Before making any cryptocurrency transactions, double-check the wallet address you’ve copied. Consider using a wallet application that highlights key parts of the address for easier verification.
Use Strong Security Measures: Enable two-factor authentication (2FA) on all your accounts, and regularly update your security settings. Use antivirus software and ensure that it is always up to date. Other protective measures include, but not limited to, logging out after accessing any finance-related platforms, turning off connectivity and location services, and keeping your personal information private. Last but not least, always have a backup plan and physically secure your device whenever possible.
Be Wary of Suspicious Links: Avoid clicking on unknown links in emails, social media, or messaging apps. Phishing campaigns often accompany malware distribution, tricking users into downloading malicious software.
Final Thoughts
The clipper malware threat is still ongoing, and the range of delivery methods has expanded beyond fake Binance apps to include widely used communication platforms like Telegram and WhatsApp. Whether on mobile or PC, these fake apps present a clear and present danger to cryptocurrency users worldwide, especially in regions where access to official app stores is limited.
Binance’s security team continues to monitor, detect, and respond to these threats, but we need your vigilance to stay ahead of the attackers. Stay informed, stay cautious, and always download apps from trusted sources.
For the latest updates on cybersecurity threats, follow our Security blog articles.