Researchers have discovered a sophisticated malicious cryptocurrency scheme that targets mobile devices running Android or iOS.
The malicious apps are distributed through fake websites and mimic legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. The fake websites are promoted with ads on legitimate sites using misleading articles.
The researchers say threat actors are also recruiting intermediaries through Telegram and Facebook groups to help distribute the malicious scheme. ESET Research says the primary goal of the malicious apps is to steal users' funds and that, until recently, the scheme has largely targeted Chinese users. As cryptocurrencies gain popularity, ESET anticipates these techniques will spread to other markets.
"Starting in May 2021, our research uncovered dozens of trojanized cryptocurrency wallet apps," says ESET researcher, Lukáš Štefanko.
"This is a sophisticated attack vector since the malware's author carried out an in-depth analysis of the legitimate applications misused in this scheme, enabling the insertion of their malicious code into places where it would be hard to detect while also making sure that such crafted apps had the same functionality as the originals. At this point, ESET Research believes that this is likely the work of one criminal group."
He says the malicious apps also represent another threat, as some of them send secret victim seed phrases to the attacker's server using an unsecured HTTP connection. This means that the victim's funds could be stolen by the operator of this scheme and by a different attacker eavesdropping on the same network.
"We also discovered 13 malicious apps impersonating the Jaxx Liberty wallet. These apps were available on the Google Play Store," adds Štefanko.
On Telegram, a free and popular multi-platform messaging app with enhanced privacy and encryption features, ESET found dozens of groups promoting malicious copies of cryptocurrency mobile wallets. The research company assumes these groups were created by the threat actor behind the scheme looking for further distribution partners. ESET says this activity has been ongoing since May 2021.
"Starting in October 2021, we found that these Telegram groups were shared and promoted in at least 56 Facebook groups with the same goal to search for more distribution partners," says Štefanko.
"In November 2021, we spotted the distribution of malicious wallets using two legitimate Chinese websites. Besides these distribution vectors, we discovered dozens of other counterfeit wallet websites targeting mobile users exclusively. Visiting one of the websites might lead a potential victim to download a trojanized wallet app for the Android or iOS platforms."
The malicious app behaves differently depending on the operating system. On Android, it appears to target new cryptocurrency users who do not yet have a legitimate wallet application installed on their devices. On iOS, the victim can have both versions installed, the legitimate one from the App Store and the malicious one from a website.
On iOS, these malicious apps are not available on the App Store; they must be downloaded and installed using configuration profiles, which add an arbitrary, trusted code-signing certificate. While on Google Play, based on ESET's request as a Google App Defense Alliance partner, in January 2022, Google removed 13 malicious applications found on the official store.
The source code of this threat has been leaked and shared on a few Chinese websites, which might attract various threat actors and spread it even further.
The Bitcoin price has decreased almost by half from its all-time high about four months ago. This might be a time for cryptocurrency investors to panic and withdraw their funds, or for newcomers to jump at this chance and buy cryptocurrency for a lower price.
"If you belong to one of these groups, you should carefully pick which mobile app to use to manage your funds," says Štefanko.