Security Alert: Malicious Android App Created to Steal Cryptocurrency

  • Malware program on Google Play Store was replacing victim's crypto addresses with attacker's address.
  • Payments were then being sent to hacker, however the program has now been removed after being reported to Google.

Cybersecurity firm ESET has issued a warning against a malicious app, which had been available on the Google Play Store, that was reportedly stealing users’ cryptocurrency.

As explained in an official blog post published by WeLiveSecurity, cryptocurrency addresses consist of long strings of alphanumeric characters. In most cases, users copy and paste the addresses when filling out invoices and conducting transactions. A new type of malware program called ”Clipper” had reportedly been “intercepting” the clipboard content of crypto users. The malware then replaced the user’s address with one belonging to the attacker.

These types of malware programs are not new as many different versions had surfaced in 2017 on the Windows platform. During the summer of 2018, there were several versions found on “shady” Android app stores, WeLiveSecurity’s blog mentions. More recently, the cybersecurity company has found a malicious Clipper program on the Google Play Store.

Crypto Stealing Malware Found On Android App Store 

Available through the official Android app store and one even hosted on third-party platforms, these malicious software programs execute scripts on users' PCs that are programmed to detect crypto addresses on an operating system’s clipboards. As mentioned, the malware is able to replace the user’s address with one that looks similar to the victim’s address (the first and last few characters might be the same as the user’s crypto address to avoid detection) but belongs to the hacker.

In August of last year, the very first Android clipper was found - as it was being sold on secret online forums. According to WeLiveSecurity, the same Android-based malware has been found in “several shady app stores.” Notably, the clipper discovered by WeLiveSecurity’s researchers was “lurking” in Google’s Play Store. The program is called “Android/Clipper.C.” It works by impersonating a legitimate wallet called MetaMask.

When unsuspecting users download the program, the malicious clipper gains access to the victim’s credentials and their private keys. This allows the attacker to access and steal the user’s cryptocurrency from their wallets.

Using Basic Phishing Techniques To Steal Private Passwords

After being discovered on the Play Store on February 1, ESET reported the app to Google, and it has now been taken down. Clarifying that there are Google Chrome and other browser add-ons on MetaMask’s website currently available for “signing blockchain transactions”, ESET’s security team noted that users should pay attention to the name and spelling of the sites they visit.

There are many hackers that use basic phishing techniques to steal user’s login and passwords - which are then used to break into the victim’s online wallets and steal their funds. This was notably not the first type of crypto-targetting malware that replaces the ocntentsof users' clipboards.