Researchers have blown the lid off a sophisticated malicious scheme primarily targeting Chinese users via copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon cryptocurrency funds.
“These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey,” said Lukáš Štefanko, senior malware researcher at ESET in a report shared with The Hacker News.
The wallet services are said to have been distributed through a network of over 40 counterfeit wallet websites that are promoted with the help of misleading articles posted on legitimate Chinese websites, as well as by means of recruiting intermediaries through Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps.
ESET, which has been tracking the campaign since May 2021, attributed it to the work of a single criminal group. The trojanized cryptocurrency wallet apps are crafted in such a manner that they replicate the same functionality of their original counterparts, while also incorporating malicious code changes that enable the theft of crypto assets.
“These malicious apps also represent another threat to victims, as some of them send secret victim seed phrases to the attackers’ server using an unsecured HTTP connection,” Štefanko said. “This means that victims’ funds could be stolen not only by the operator of this scheme, but also by a different attacker eavesdropping on the same network.”
images from Hacker News