ESET Research discovers a plan to steal cryptocurrency from Android and iPhone users

The malicious apps were distributed through fake websites, mimicked legitimate wallet services and promoted with ads placed on legitimate websites using misleading articles and through Telegram and Facebook groups.

The main goal of this scheme is to steal cryptocurrency funds, especially Chinese users.

ESET Research discovered over 40 copycat sites with popular cryptocurrency wallets and believes it is probably the work of a criminal group.

The malicious app behaves differently depending on the operating system on which it is installed.

With cryptocurrencies gaining popularity and the apparent leakage of the source code for this threat, ESET expects these techniques to spread to other markets.

DUBAI – UAE: ESET Research discovered and tracked a sophisticated malicious cryptocurrency scheme targeted at mobile devices using Android or iOS operating systems (iPhones). Malicious apps are distributed through fake websites that mimic legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken and OneKey. These fake sites are promoted with ads placed on legitimate sites that use misleading articles. In addition, the threatening actors are recruiting intermediaries through Telegram and Facebook groups to further distribute this malicious scheme. The main purpose of the malicious apps is to steal users’ money, and so far ESET Research has seen that this scheme is mainly aimed at Chinese users. As cryptocurrencies gain popularity, ESET expects these techniques to spread to other markets.

As of May 2021, our research revealed dozens of Trojanized cryptocurrency wallet apps. This is a sophisticated attack vector, as the malware’s author performed an in-depth analysis of the legitimate applications abused in this scheme, enabling the deployment of their own malicious code in places where it would be difficult to detect while securing it. , that such apps had the same functionality as the originals. At this point, ESET Research believes that this is likely to be the work of a criminal group.

“These malicious apps also represent another threat to victims, as some of them send secret victim-seed sentences to the attackers’ server using an insecure HTTP connection. This means that the victims’ money can not only be stolen by the operator of this scheme, but also by another attacker eavesdropping on the same network, ”said Lukáš Štefanko, ESET researcher who discovered the scheme. “We also discovered 13 malicious apps that mimicked the Jaxx Liberty wallet. These apps were available in the Google Play Store,” he adds.

On Telegram, a free and popular multiplatform messaging app with enhanced privacy and encryption features, ESET found dozens of groups promoting malicious copies of cryptocurrency mobile wallets. We assume that these groups were created by the threat actor behind this scheme looking for additional distribution partners, and this activity has been going on since May 2021. From October 2021, we found that these Telegram groups were shared and promoted in at least 56 Facebook groups with the same goal – to search for more distribution partners. In November 2021, we discovered the distribution of malicious wallets using two legitimate Chinese websites.

In addition to these distribution vectors, we discovered dozens of other sites with counterfeit wallets that are exclusively aimed at mobile users. Visiting one of the sites may cause a potential victim to download a Trojan wallet to the Android or iOS platform.

The malicious app behaves differently depending on the operating system on which it was installed. On Android, it appears to be targeting new cryptocurrency users who do not yet have a legitimate wallet application installed on their devices. On iOS, the victim can have both versions installed – the legitimate one from the App Store and the malicious one from a website.

As for iOS, these malicious apps are not available in the App Store; they must be downloaded and installed using configuration profiles that add any trusted code signing certificate. Regarding Google Play, based on our request as a Google App Defense Alliance Partner, in January 2022, Google removed 13 malicious applications found in the official store.

Moreover, it seems that the source code of this threat has been leaked and shared on a few Chinese websites, which may attract various threat actors and spread this threat further.

“At the time of release, the price of bitcoin has fallen almost by half from the highest level ever about four months ago. For cryptocurrency investors, this could be a time to either panic and withdraw their funds, or for newcomers to jump on. “This opportunity and buy cryptocurrency at a lower price. If you belong to one of these groups, you should carefully choose which mobile app you need to manage your money,” advises Štefanko.

For more technical information, check out the blog post “Crypto malware in patched wallets targeting Android and iOS devices” on WeLiveSecurity. Be sure to follow ESET Research on Twitter for the latest news from ESET Research.