A security researcher has discovered yet another malware on the official Google Play Store that is designed to steal bitcoin and other cryptocurrencies from unsuspecting users.
The “Clipper” malware posed as a legitimate cryptocurrency app and replaced cryptocurrency wallet addresses copied into the Android clipboard with one belonging to the attackers, ESET researcher Lukas Stefanko wrote in a blog post.
Because cryptocurrency wallet addresses are comprised of long strings of characters for security purposes, users typically prefer to copy and paste them rather than type them.
This behavior was exploited by the newly discovered clipper malware, dubbed Android/Clipper.C by ESET, to steal cryptocurrency from users.
To accomplish this, attackers first duped users into installing a malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming that it would allow users to run Ethereum-based decentralized applications in their web browsers without having to run a full Ethereum node.
Officially, MetaMask is only available as a web browser extension for Chrome, Firefox, Opera, and Brave; it has not yet been released on mobile app stores.
However, Stefanko discovered the malicious MetaMask app on the Google Play Store that targets users who wish to access the mobile version of the service by replacing their legitimate cryptocurrency wallet address with the hacker’s address via the clipboard.
As a result, users who intended to transfer funds to a wallet of their choosing would instead deposit funds into the attacker’s wallet address pasted by the malicious app.
“Several malicious apps have been discovered impersonating MetaMask on Google Play. To gain access to the victims’ cryptocurrency funds, they merely phished for sensitive information “Stefanko said.
“Android Clipper targeted Bitcoin and Ethereum addresses copied to the clipboard and replaced them with the attacker’s wallet address. This transaction cannot be canceled after it has been sent.”
Stefanko identified the malicious MetaMask app, which he believes to be the first Android Trojan Clipper to be discovered on Play Store, shortly after its February 1 release.
Google removed the malicious app almost immediately after receiving the researcher’s alert.
While the bitcoin price has declined steadily since its all-time high in December 2017, the cryptocurrency industry continues to be plagued by scandals, thefts, and scams, which are on the rise.
The Hacker News reported just last week that customers of the largest Canadian bitcoin exchange QuadrigaCX lost $145 million in cryptocurrency due to the sudden death of the exchange’s owner, who was the only person with access to the company’s cold storage wallets. Nevertheless, some users and researchers believe the incident may be an exit scam.