Presented as crypto wallets, dozens of malicious apps have appeared online with the aim of stealing funds from users around the world. The apps were available to Android and iOS users under a complex scheme, according to a research-based report. The malicious apps in question were found to impersonate crypto wallets such as Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, and OneKey. Trojanized crypto wallets were first discovered in May 2021 and initially targeted Chinese users. However, as cryptocurrencies become popular, the malicious techniques used by attackers could be extended to users around the world.
Internet security firm ESET has reported the discovery of malicious crypto wallets that appear to be available to Android and iOS users.
Research conducted by ESET found a sophisticated system run by anonymous attackers and identified more than 40 websites posing as popular crypto wallets. These websites target mobile users and coerce visitors through different techniques into letting them download rogue wallet apps.
Although initial evidence suggested the target could be Chinese users, it was later discovered that the program could target anyone using the English language on their phone.
“They are not targeting Chinese users only, as most of the bogus websites and apps distributed are in English. Because of that, I think it could affect anyone in the world (if they speak English),” ESET malware analyst Lukas Stefanko told Gadgets 360.
The first trace of the trojanized wallet distribution vector was spotted in May 2021. The attackers used different Telegram groups to sign up people to distribute the malicious apps, according to the report.
Based on the information obtained, the researchers discovered that the attackers gave people a 50% commission on the stolen contents of the wallet. This was intended to bring more people on board to circulate the malware.
The researchers also noticed that Telegram groups were shared and promoted in some Facebook groups, in an attempt to find more distribution partners for the malware. It could potentially extend the reach of malicious attacks by getting intermediaries to target individuals.
According to the researchers, the malicious apps pretended to work as legitimate crypto wallets, such as imToken, Bitpie, MetaMask, TokenPocket and OneKey.
The apps behave differently depending on the operating system they were installed on, the researchers said.
On Android, the apps targeted new crypto users who do not have a legitimate wallet app installed on their devices. Wallet apps used the same package name to disguise themselves as their original counterparts. However, they were signed using a different certificate. This prevents these apps from replacing the official wallet on the device.
However, on iOS, rogue crypto wallet apps could get installed together with their legitimate version. Malicious apps would only be installed through a third-party source, although the official version might come from the App Store.
Once installed, the researchers found that the apps could steal seed phrases generated by a crypto wallet to provide access to the crypto associated with that wallet. These sentences were shared with the attackers’ server or with a secret Telegram chat group.
ESET researchers also discovered 13 fake wallet apps available on Google Play Store which were removed in January based on their request. The apps impersonated the legitimate Jaxx Liberty Wallet app and were installed over 1,100 times.
The researchers advise users to download and install apps only from official sources, such as Google Play in the case of Android and Apple’s App Store for iPhone consumers. Users are also recommended to quickly uninstall apps if they find them to be malicious in nature. In the case of iOS, users should also remove the malicious apps configuration profile by going to Settings > General > VPN and device management once the apps are installed.
Users considering entering the crypto world and looking to create a new wallet are recommended to only use a trusted device and app before transferring their hard-earned money.
“Since the attackers know the victim’s all transaction history, the attackers might not steal the funds immediately and might instead wait for a better opportunity after depositing more coins,” Stefanko writes in the report.