Investigations by cybersecurity firm ESET have uncovered a “sophisticated scheme” that proliferates trojan apps disguised as popular cryptocurrency wallets.
The malicious scheme targets mobile devices running Android or Apple (iOS) operating systems, which get compromised if the user downloads a bogus app.
According to ESET researchThese malicious apps are distributed using fake websites and impersonate legitimate crypto wallets including MetaMask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey.
The company also discovered 13 malicious apps posing as Jaxx Liberty Wallet available on the Google Play Store. Google has since removed the offending apps, which were installed more than 1,100 times, but many more lurk on other websites and social media platforms.
The threat actors spread their wares via social media groups on Facebook and Telegram with intent to steal crypto assets from their victims. ESET claims to have uncovered “dozens of trojanized cryptocurrency wallet apps” since May 2021. It also stated that the scheme, which it believes is the work of a group, primarily targeted Chinese users via Chinese websites.
Lukáš Štefanko, the researcher who uncovered the scheme, said that there were other threat vectors, such as sending seed phrases to the attacker’s server over unsecured connections, adding:
“This means that victims’ funds can be stolen not only by the operator of this scheme, but also by another attacker eavesdropping on the same network.”
The fake wallet apps behave slightly differently depending on where they are installed. On Android, it targets a new cryptocurrency that the user may not have traded before and prompts the user to install the corresponding wallet. On iOS, the apps must be downloaded using any trusted code signing certificate that bypasses Apple’s App Store. This means the user can install two wallets at the same time, the real one and the trojan one, but poses a lesser threat since most users rely on App Store verification for their apps.
ESET advises cryptocurrency investors and traders to only install wallets from trusted sources that link to the official website of the exchange or company.
In February, Google Cloud introduced the Virtual Machine Threat Detection (VMTD) System that scans for and detects “cryptojacking” malware designed to hijack resources to mine digital assets.
According to a January Chainalysis report, cryptojacking was to blame 73% of the total value received by malware-related wallets and addresses between 2017 and 2021.
https://cointelegraph.com/news/13-apps-removed-after-researchers-uncover-trojan-crypto-wallet-scheme 13 apps removed after researchers uncovered Trojan crypto wallet scheme