A malicious app designed to steal cryptocurrency from victims by replacing a wallet address in the phone’s clipboard has been discovered harboring the first “clipper” malware discovered on Google Play, the official Android app store.
Usually cryptocurrency-stealers are found on unsanctioned Android app stores, but researchers with ESET on Friday said that they spotted the malicious app (a fake version of the legitimate MetaMask service) shortly after it had been introduced at the official Android store on Feb. 1. The app has since been removed, but anyone who had already downloaded it remains affected.
The app was called MetaMask, like the legitimate service that is designed to run Ethereum decentralized apps in a browser without having to run a full Ethereum node. The real MetaMask however does not actually offer a mobile app currently, only add-ons for desktop browsers such as Chrome and Firefox, researchers said.
Once downloaded on a victim’s system, the clipper malware scoops up content, like cryptocurrency wallets addresses, that have been pasted on the Android Clipboard. Clipboard is an extension in Chrome that lets users seamlessly copy and keep links at hand.
“The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds,” said Lukas Stefanko with ESET in a post. “However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.”
In a video, Stefanko explained how the malicious app works once a victim had downloaded it (below).
Once downloaded, the app prompts users to access their wallet using their seed phrase (a list of words which store all the information needed to recover a Bitcoin wallet) and a Private Key (a secret number that allows bitcoins to be spent).
In addition to phishing for credentials, the app executes the clipper malware. It then intercepts the content of the clipboard and is able to replace it: In this case, the malware replaces any cryptocurrency wallet addresses copied into the Android clipboard with addresses that belong to the attacker.
So, when making a cryptocurrency transaction, if the victim copies and pastes what they think is their own address from the clipboard into the transaction space, they could potentially end up with the copied wallet address quietly switched to one belonging to the attacker, researchers said.
“For security reasons, addresses of online cryptocurrency wallets are composed of long strings of characters,” researchers said. “Instead of typing them, users tend to copy and paste the addresses using the clipboard. A type of malware, known as a ‘clipper,’ takes advantage of this.”
Stefanko stressed that cryptocurrency users should double-check every step in all transactions that involve anything valuable, including sensitive information. And, when using the clipboard tool, users should always check if what they pasted is the correct content.
Clipper malware is gaining traction – In August 2018, the first Android clipper was discovered being sold on underground hacking forums and since then, this malware has been detected in several shady app stores.
In fact, ESET researchers discovered clipper malware hosted on download.cnet.com, one of the most popular software-hosting sites in the world.
“Although relatively new, cryptocurrency stealers that rely on altering the clipboard’s content can be considered established malware,” Stefanko said.
Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner, to discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.