A clipper malware is now used by cybercriminals to steal cryptocurrencies from the crypto wallets. This is being discovered on the Google Play store for the first time through the practice of clipboard being used in Windows, or Android app stores were there previously. The cyber attackers simply replace a wallet address to steal the emerging asset class. The digital coin market is facing challenges.
Long Sequence of Words
Attackers clearly take advantage of the users’ habit of copy and pasting the addresses of online cryptocurrency wallets with the help of the clipboard. They adopt this methodology to avoid composing long sequence of words, and that lands them in trouble through a ‘clipper’ malware.
This intercepts the clipboard content and replaces it clandestinely with the address that the criminals want to sabotage. This meant that those who are involved in transacting cryptocurrency could easily fall prey with the copied wallet address and witness losing their virtual assets in the process.
This is a dangerous malware type that was first seen on the Windows platform in 2017. In the following year, the attackers have entered into the Android app stores in the summer season. And now in February this year, the same malware is being spotted on Google Play, which is also the official app store for Android.
This is a new threat to digital currency wallets and termed as an established malware. Researchers have found it even on cnet.com, which is a popular site for software-hosting.
Hacking Forums
Android clipper was found in August 2018 for the first time in hacking forums and following this. There has been a constant rise in detecting the malware in a number of app stores. On February 8, 2019, ESET security researchers have discovered clipper malware like Android/Clipper C and imitate a lawful service known as MetaMask.
The objective is clear, i.e., to steal private keys and credentials of the victim to access ethereum funds. The possibility of replacing bitcoin is also not ruled out.
For its part, the Google Play security team has removed the app as the focus of the attacker is on the mobile type of the MetaMask. This is designed to manage decentralized apps of ethereum so that there is no need to run a complete ethereum node. Interestingly, there is no mobile app in this service and only add-ons.
Indicators of Compromise (IoCs)
| Package Name | Hash |
|---|---|
| com.lemon.metamask | 24D7783AAF34884677A601D487473F88 |
BTC address: 17M66AG2uQ5YZLFEMKGpzbzh4F1EsFWkmA
ETH address: 0xfbbb2EF692B5101f16d3632f836461904C761965
Video:
Moreover, as Cryptovibes.com already reported, MyEtherWallet and Electrum Wallet users should also be vigilant as phishing activities are going within the both wallets.
