A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users.
The malware, described as a “Clipper,” masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging to attackers, ESET researcher Lukas Stefanko explained in a blog post.
Since cryptocurrency wallet addresses are made up of long strings of characters for security reasons, users usually prefer copying and pasting the wallet addresses using the clipboard over typing them out.
The newly discovered clipper malware, dubbed Android/Clipper.C by ESET, took advantage of this behaviour to steal users cryptocurrency.
To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralised apps in their web browsers without having to run a full Ethereum node.
Officially, the legitimate version of MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is not yet launched on any mobile app stores.
However, Stefanko spotted the malicious MetaMask app on Play Store targeting users who want to use the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker’s own address via the clipboard.
images from Hacker News