The scheme, which mainly targeted Chinese users through social media groups and fake websites, has been running since May 2021.
An investigation by leading cybersecurity firm EST has lifted a lid on a “sophisticated scheme” by criminals who spread Trojan Horse Apps disguised as popular cryptocurrency wallets. The malicious plan targeted mobile devices running on Apple (iOS) and Android operating systems, which they would compromise as soon as an unsuspecting user downloaded a fake App.
According to the ESET investigation, the crooks distributed the 13 malicious Apps using fake websites that imitated legitimate cryptocurrency wallets such as MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneK. Google has since removed the offending apps from Google Play Store, which over 1,100 unsuspecting users may have installed. However, there are chances that the malicious Apps were still lurking somewhere on other websites or social media platforms.
Uncovered dozens of trojanized cryptocurrency wallet Apps
Cybercriminals have always disseminated their wares via social media groups on Facebook and Telegram, with their only intention being to steal cryptocurrencies from their victims. ESET indicated in its report it had uncovered “dozens of trojanized cryptocurrency wallet Apps. The firm discovered that the scheme was orchestrated by one group and specifically targeted Chinese cryptocurrency users using Chinese websites.
Researcher Lukas Stefanko who unraveled the scheme said that there were other threat vectors, such as sending seed phrases to the attacker’s server using unsecured connections. He added:
“This means that victims’ funds could be stolen by the operator of this scheme and by a different attacker eavesdropping on the same network.”
The malware appeared to target new cryptocurrency users
The malware works differently depending on whether the victim is an iOS or Android user. On Android, the malware appeared to target new cryptocurrency users who do not yet have a legitimate wallet application installed because the malware can’t overwrite any existing apps on the device because of Android security protocols.
However, on iOS, the victim can have both a real app and the fake one installed, so more experienced cryptocurrency enthusiasts could be targeted, too, even though it’s somewhat cumbersome to download these fake wallets in both cases.
The attackers can manipulate the app’s content as if it was their own
For Android users, the fake cryptocurrency websites invite the user to “Download from Google Play, although it downloads from the bogus site’s server. Once downloaded, the app needs to be manually installed by the user.
Whether it’s on Apple or Android, once installed, the malware behaves like a fully working cryptocurrency wallet, un-disguisable from the actual apps. By inserting malicious code into the app, the attackers can manipulate the app’s content as if it was their own – meaning they can drain the cryptocurrency from the wallet without the user knowing. Researcher Lukas Stefanko added:
“We would like to appeal to the cryptocurrency community, mainly newcomers, to stay vigilant and use only official mobile wallets and exchange apps, downloaded from official app stores that are explicitly linked to the official websites of such services, and to remind iOS device users of the dangers of accepting configuration profiles from anything but the most trustworthy of sources.”