A new cryptocurrency-stealing malware was discovered on Google Play Store which could steal bitcoin and cryptocurrency from innocent users secretly.
The malware described as a “Clipper,” was disguised as a legitimate cryptocurrency app and it replaced the cryptocurrency wallet addresses copied into the Android clipboard with the one owned by the attackers. The discovery was made by a cyber security researcher at ESET, Lukas Stefanko.
The address of the cryptocurrency wallet consists of long strings of characters and so the users opt to copy and paste the addresses using the clipboard rather than typing it every time. It was this behavior of the user that the new clipper malware took advantage of for stealing the cryptocurrency. The clipper has been dubbed as Android/Clipper.C
In order to perform the attack, the hackers first tricked users to install the malicious app which was disguised as a legitimate cryptocurrency service called MetaMask. This app claims to allow the users to run Ethereum decentralized apps in their web browsers without the need to run a full Ethereum node.
Actually, the official legitimate version of MetaMask is available as a web browser extension for Chrome, Firefox, Opera, or Brave, and is yet to be launched on mobile app stores.
The researcher however found the malicious MetaMask app on Play Store that aims at users who wish to have the mobile version of the service by changing their legitimate cryptocurrency wallet address to the hacker’s own address via the clipboard.
So, the users who wanted to transfer funds into a cryptocurrency wallet of their choice would be depositing the fund into the hacker’s wallet address unknowingly.
Stefanko believes that this app was the first Android Trojan Clipper to be discovered on Play Store, when it was introduced into the app store on February 1. On being notified by the researcher, Google removed the malicious app immediately.
Even though the price of the bitcoin has reduced considerably, the attacks on the cryptocurrency are always on the rise.