ESET Research recently uncovered and tracked a sophisticated cryptocurrency theft campaign targeting Android or iOS mobile devices (iPhones).
This is because these rogue apps are delivered via fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. These bogus websites are promoted through advertisements placed on legitimate sites using deceptive articles. The hackers recruit intermediaries through Telegram and Facebook groups to spread the malware. The main aim of these rogue apps is to steal user funds and so far, ESET Search found that this campaign was primarily targeting Chinese users. As cryptocurrencies grow in popularity, expect these techniques to spread across the world.
Since May 2021, searches have uncovered dozens of Trojan-infected cryptocurrency wallet apps. This is a sophisticated attack vector because the malware author performed a thorough analysis of legitimate applications, which allowed him to insert his own malicious code in places where it would be difficult to find it. detect, while ensuring that these modified applications have the same functionality as the original applications.
“These malicious apps also pose another threat to victims, as some of them send the victim’s passphrases to the attackers’ server using an insecure HTTP connection. This means that victims’ funds can be stolen not only by the operator of this campaign, but also by another attacker spying on the same network,” explains Lukáš Štefanko, the ESET researcher who discovered the campaign. “We also discovered 13 malicious apps posing as the Jaxx Liberty wallet. These apps were available in the Google Play store,” he adds.
On Telegram, he discovered dozens of user groups promoting malicious versions of mobile cryptocurrency wallets. Thus suggesting that these groups were created by the authors of the project, in search of new means of distribution, and this since May 2021. As of October 2021, these Telegram groups were shared and promoted in at least 56 Facebook groups with the same objective, namely to seek more means of distribution. In November 2021, malicious wallets were spotted using two legitimate Chinese websites.
Besides these distribution vectors, dozens of other counterfeit wallet sites targeting exclusively mobile users have been discovered. A visit to one of these websites tricks the victim into downloading a Trojan-infected wallet app for Android or iOS.
The malicious application behaves differently depending on the operating system on which it was installed. On Android, it seems to target new cryptocurrency users who don’t yet have a wallet app installed on their device. On iOS, the victim may have installed both versions; the legitimate version from the App Store and the malicious version from a website.
As for iOS, malicious apps are not available on the App Store; they must be downloaded and installed using configuration profiles, which add an arbitrary trusted code signing certificate. Regarding Google Play, in January 2022, Google removed 13 malicious applications found on the official store.
Unfortunately, the source code of this threat is allegedly leaked and shared on few Chinese websites, which might attract other hackers and spread this threat even more.